无法对身份服务器 SSL 握手错误进行身份验证

Question

背景。我需要让我的网站通过 IdentityServer (IDS) 进行身份验证。 “example.com”

我正在使用 DotNetCore 构建我的所有网站 使用 apache 将它们托管在代理服务器上，让我们调用私有 ip 12.3.4.5。

他们应该如何工作。我去站点 example.com 我应该能够与 ids.exampe.com 交谈以获取身份验证信息，然后使用身份验证令牌重新路由回 example.com。相反，我收到 SSL 握手错误。见下文。

我特意寻求帮助，让网站相互信任。

但是，如果我尝试通过直接访问 IDS 站点进行身份验证，没问题！！金的！如您所见，只有当我尝试在站点之间进行通信时才会遇到此问题。

An unhandled exception occurred while processing the request.
OpenSslCryptographicException: error:14094410:SSL 
routines:ssl3_read_bytes:sslv3 alert handshake failure
Unknown location

SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL.
Interop+OpenSsl.DoSslHandshake(SafeSslHandle context, byte[] recvBuf, int 
recvOffset, int recvCount, out byte[] sendBuf, out int sendCount)

AuthenticationException: Authentication failed, see inner exception.
System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken 
message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo 
exception)

HttpRequestException: The SSL connection could not be established, see 
inner exception.
System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream 
stream, SslClientAuthenticationOptions sslOptions, CancellationToken 
cancellationToken)

IOException: IDX20804: Unable to retrieve document from: 
'https://ids.example.com/.well-known/openid-


 configuration'.Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocu 
mentAsync(string address, CancellationToken cancel)

InvalidOperationException: IDX20803: Unable to obtain configuration from: 
'https://ids.example.com/.well-known/openid-configuration'.

Microsoft.IdentityModel.Protocols.ConfigurationManager.GetConfigurationAsyn c(CancellationToken 取消)

httpd.conf ::

# 服务器根目录“/etc/httpd” LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule ssl_module modules/mod_ssl.so

<VirtualHost *:*>
  RequestHeader set X-Forwarded-Proto "%{REQUEST_SCHEME}s"
</VirtualHost>


<VirtualHost *:443>
 ServerName ids.example.com
 SSLEngine on
 SSLProxyEngine on
 SSLProtocol all -SSLv2
 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:!RC4+RSA:+HIGH:+MEDIUM:!LOW:!RC4
 SSLProxyVerify none 
 SSLProxyCheckPeerCN off
 SSLProxyCheckPeerName off

 SSLProxyCheckPeerExpire off

 SSLCertificateKeyFile /etc/httpd/ssl/example.key 
 SSLCertificateFile    /etc/httpd/ssl/example.crt
 SSLVerifyClient require
 SSLVerifyDepth 10
 SSLCACertificateFile /etc/httpd/ssl/DoD_CAs.pem
 SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
 ProxyPreserveHost on

 ProxyPass                   /       http://x.x.x.x:5008/
 ProxyPassReverse         /       http://x.x.x.x:5008/

</VirtualHost>



 # Main Site VirtualHost
<VirtualHost *:443>
 ServerName example.com
# SSL settings
 SSLEngine on
 SSLProxyEngine on
 SSLProtocol all -SSLv2
 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:!RC4+RSA:+HIGH:+MEDIUM:!LOW:!RC4
 SSLProxyVerify none 
 SSLProxyCheckPeerCN off
 SSLProxyCheckPeerName off
 SSLProxyCheckPeerExpire off
 SSLCertificateKeyFile /etc/httpd/ssl/example.key
 SSLCertificateFile    /etc/httpd/ssl/example.crt
# Client Verification
 SSLVerifyClient require
 SSLVerifyDepth 10
 SSLCACertificateFile /etc/httpd/ssl/DoD_CAs.pem
 RequestHeader set X-ARR-ClientCert "%{SSL_CLIENT_S_DN}s"
 SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
# Redirects
 ProxyPreserveHost on
 ProxyPass                /       http://x.x.x.x:5022/
 ProxyPassReverse         /       http://x.x.x.x:5022/
</VirtualHost>

Answer 1

错误在 http.conf 文件中

我应该使用 SSLCACertificateFile 指令 SSLCACertificatePath 指令...

基本上发生的事情是我可以使用 DOD CAC pki 进行身份验证，但是一旦 dot.net 核心应用程序尝试从一个服务器发送到另一个服务器，它就会出现握手错误，因为这些站点使用的是自签名证书。我的证书一直都在正确的位置，但是它不信任它，因为 SSLCACertificateFile 指令说只信任这个，而不是信任这个目录中的所有内容。

Also my network guy recomends that in the future, it's a best practice to use the 
SSLCAcertificateFile, but to then combine your certs into one.

我真的希望这能拯救别人我刚刚经历的事情......我已经解决这个问题了 40 个小时左右。从配置文件到代码库更改来回切换......