.NetCore項目中集成了IdentityServer4,初始時使用http,獲取token及API授權訪問都ok。後面.netcore配置Kestrel使用https訪問接口,出現了各種問題。
- System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure
- SSL connection could not be established(The remote certificate is invalid according to the validation procedure)
System.InvalidOperationException: IDX20803: Unable to obtain configuration from: '[PII is hidden]'.
---> System.IO.IOException: IDX20804: Unable to retrieve document from: '[PII is hidden]'.
---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
可以看出來這些問題是和SSL證書有關,經過排查,發現IdentityServer4配置中:使用了IP:PORT的形式配置的授權地址,但是SSL證書是以域名形式申請的,這就造成了SSL證書不能驗證通過。
解決方法:將授權地址配置爲域名:端口的形式,完美解決上述問題。注意域名爲SSL證書申請時用到的域名。
相關配置參數,如下示例:
Program.cs
public static void Main(string[] args)
{
...
...
var host = new WebHostBuilder()
.UseKestrel()
.UseContentRoot(Directory.GetCurrentDirectory())
.UseIISIntegration()
.UseStartup<Startup>()
.ConfigureKestrel((context, options) =>
{
options.Listen(IPAddress.Any, 9999, listenOptions =>
{
listenOptions.UseHttps("SSL證書", "SSL證書密碼");
});
})
.Build();
...
...
}
Startup.cs
public IServiceProvider ConfigureServices(IServiceCollection services)
{
...
...
//Config IdentityServer4
services.AddIdentityServer(options =>
{
options.PublicOrigin = "https://www.xxx.cn:9999";
})
.AddDeveloperSigningCredential()
.AddInMemoryApiResources(GetApiResources())
.AddInMemoryIdentityResources(GetIdentityResources())
.AddInMemoryClients(GetClients())
.AddResourceOwnerValidator<LoginValidator>()
.AddProfileService<ProfileService>();
//Configure IdentityServer4 Authority port
services.AddAuthorization();
services.AddAuthentication("Bearer")
.AddIdentityServerAuthentication(options =>
{
options.Authority = "https://www.xxx.cn:9999";
//options.Authority = "https://localhost:9999";
options.ApiName = "api";
});
...
...
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
...
...
//Add IdentityServer to the pipeline
app.UseIdentityServer();
...
...
}