.NetCore IdentityServer4 使用 https

.NetCore項目中集成了IdentityServer4，初始時使用http，獲取token及API授權訪問都ok。後面.netcore配置Kestrel使用https訪問接口，出現了各種問題。

1. System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure
2. SSL connection could not be established(The remote certificate is invalid according to the validation procedure)

System.InvalidOperationException: IDX20803: Unable to obtain configuration from: '[PII is hidden]'.
 ---> System.IO.IOException: IDX20804: Unable to retrieve document from: '[PII is hidden]'.
 ---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
 ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
   at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)

可以看出來這些問題是和SSL證書有關，經過排查，發現IdentityServer4配置中：使用了IP:PORT的形式配置的授權地址，但是SSL證書是以域名形式申請的，這就造成了SSL證書不能驗證通過。

解決方法：將授權地址配置爲域名:端口的形式，完美解決上述問題。注意域名爲SSL證書申請時用到的域名。

相關配置參數，如下示例：

Program.cs

public static void Main(string[] args)
        {

            ...
            ...

            var host = new WebHostBuilder()
                .UseKestrel()
                .UseContentRoot(Directory.GetCurrentDirectory())
                .UseIISIntegration()
                .UseStartup<Startup>()

                .ConfigureKestrel((context, options) =>
                {
                    options.Listen(IPAddress.Any, 9999, listenOptions =>
                    {
                        listenOptions.UseHttps("SSL證書", "SSL證書密碼");
                    });
                })
       
                .Build();

            ...
            ...

        }

Startup.cs

public IServiceProvider ConfigureServices(IServiceCollection services)
        {
           
            ...
            ...

            //Config IdentityServer4
            services.AddIdentityServer(options =>
            {
                options.PublicOrigin = "https://www.xxx.cn:9999";
            })
                .AddDeveloperSigningCredential()
                .AddInMemoryApiResources(GetApiResources())
                .AddInMemoryIdentityResources(GetIdentityResources())
                .AddInMemoryClients(GetClients())
                .AddResourceOwnerValidator<LoginValidator>()
                .AddProfileService<ProfileService>();
   

           //Configure IdentityServer4 Authority port
            services.AddAuthorization();
            services.AddAuthentication("Bearer")
                .AddIdentityServerAuthentication(options =>
                {
                    options.Authority = "https://www.xxx.cn:9999";
                    //options.Authority = "https://localhost:9999";
                    options.ApiName = "api";
                });

           ...
           ...
            

        }

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
        {
           ...
           ...
            
           //Add IdentityServer to the pipeline 
            app.UseIdentityServer();

           ...
           ...
            
         
        }