C# grpc 服务器端唯一证书
C# grpc server-side only certificate
有人知道如何配置 grpc 以使用仅服务器端证书(而不是默认开发证书)的示例吗?
所以没有客户端证书,只有一个服务器端证书来加密通道。
我创建了一个自签名 pfx 并将其导入到受信任的根证书颁发机构。
使用以下配置 atm:
.ConfigureWebHostDefaults(webBuilder =>
{
webBuilder.ConfigureKestrel(o =>
{
o.ConfigureHttpsDefaults(x =>
{
x.ClientCertificateMode = ClientCertificateMode.NoCertificate;
x.ServerCertificate = GetCertificate(StoreLocation.LocalMachine, StoreName.CertificateAuthority, "<thumbprint>");
});
});
webBuilder.UseStartup<Startup>();
});
"profiles": {
"Aeternum.ServiceHost": {
"commandName": "Project",
"dotnetRunMessages": "true",
"launchBrowser": false,
"applicationUrl": "https://localhost:15425", //the pfx was created for localhost
"environmentVariables": {
"ASPNETCORE_ENVIRONMENT": "Development"
}
}
"Kestrel": {
"Url": "https://*:15425",
"EndpointDefaults": {
"Protocols": "Http2"
}
用这个客户端试试(我很确定 ChannelCredentials.Insecure 不正确,但我不知道还能做什么):
var channel = new Channel(rootUri.Host, _rootUri.Port, ChannelCredentials.Insecure);
return new AuthServiceV1.AuthServiceV1Client(channel);
目前我在客户端遇到这个异常(没有 ssl 一切似乎都工作正常):
Status(StatusCode="Unavailable", Detail="连接所有地址失败", DebugException="Grpc.Core.Internal.CoreErrorDetailException: {"created":"@1628428855.871000000","description":"连接失败选择子频道","file":"......\src\core\ext\filters\client_channel\client_channel.cc","file_line":3009,"referenced_errors":[{"created":"@ 1628428855.871000000","说明":"连接所有地址失败","文件":"......\src\core\ext\filters\client_channel\lb_policy\pick_first\pick_first.cc","file_line":398,"grpc_status":14}]}")
谢谢。
所以我找到了解决办法。
服务器:
"CertThumbprint": "<certificate thumbprint>",
"Kestrel": {
"EndpointDefaults": {
"Url": "https://*:15425",
"Protocols": "Http2"
}
},
.ConfigureWebHostDefaults(webBuilder =>
{
webBuilder.ConfigureKestrel((context, options) =>
{
options.ConfigureHttpsDefaults(x =>
{
var thumbprint = context.Configuration["CertThumbprint"];
x.ClientCertificateMode = ClientCertificateMode.NoCertificate;
x.ServerCertificate = GetCertificate(StoreLocation.LocalMachine, StoreName.CertificateAuthority, thumbprint);
});
});
webBuilder.UseStartup<Startup>();
});
在客户端中,不要自己创建通道,而是使用grpc客户端工厂:
services.AddGrpcClient<AuthServiceV1.AuthServiceV1Client>((sp, o) =>
{
var configuration = sp.GetRequiredService<IConfiguration>();
var serviceUrl = configuration["ServiceUrl"];
o.Address = new Uri(serviceUrl);
})
.AddInterceptor<ClientInterceptor>();
services.AddTransient<AuthService>();
最后是服务 class 本身:
public class AuthService
{
public AuthService(AuthServiceV1.AuthServiceV1Client client)
{
_client = client;
}
private readonly AuthServiceV1.AuthServiceV1Client _client;
...
}
}
有人知道如何配置 grpc 以使用仅服务器端证书(而不是默认开发证书)的示例吗? 所以没有客户端证书,只有一个服务器端证书来加密通道。
我创建了一个自签名 pfx 并将其导入到受信任的根证书颁发机构。 使用以下配置 atm:
.ConfigureWebHostDefaults(webBuilder =>
{
webBuilder.ConfigureKestrel(o =>
{
o.ConfigureHttpsDefaults(x =>
{
x.ClientCertificateMode = ClientCertificateMode.NoCertificate;
x.ServerCertificate = GetCertificate(StoreLocation.LocalMachine, StoreName.CertificateAuthority, "<thumbprint>");
});
});
webBuilder.UseStartup<Startup>();
});
"profiles": {
"Aeternum.ServiceHost": {
"commandName": "Project",
"dotnetRunMessages": "true",
"launchBrowser": false,
"applicationUrl": "https://localhost:15425", //the pfx was created for localhost
"environmentVariables": {
"ASPNETCORE_ENVIRONMENT": "Development"
}
}
"Kestrel": {
"Url": "https://*:15425",
"EndpointDefaults": {
"Protocols": "Http2"
}
用这个客户端试试(我很确定 ChannelCredentials.Insecure 不正确,但我不知道还能做什么):
var channel = new Channel(rootUri.Host, _rootUri.Port, ChannelCredentials.Insecure);
return new AuthServiceV1.AuthServiceV1Client(channel);
目前我在客户端遇到这个异常(没有 ssl 一切似乎都工作正常):
Status(StatusCode="Unavailable", Detail="连接所有地址失败", DebugException="Grpc.Core.Internal.CoreErrorDetailException: {"created":"@1628428855.871000000","description":"连接失败选择子频道","file":"......\src\core\ext\filters\client_channel\client_channel.cc","file_line":3009,"referenced_errors":[{"created":"@ 1628428855.871000000","说明":"连接所有地址失败","文件":"......\src\core\ext\filters\client_channel\lb_policy\pick_first\pick_first.cc","file_line":398,"grpc_status":14}]}")
谢谢。
所以我找到了解决办法。
服务器:
"CertThumbprint": "<certificate thumbprint>",
"Kestrel": {
"EndpointDefaults": {
"Url": "https://*:15425",
"Protocols": "Http2"
}
},
.ConfigureWebHostDefaults(webBuilder =>
{
webBuilder.ConfigureKestrel((context, options) =>
{
options.ConfigureHttpsDefaults(x =>
{
var thumbprint = context.Configuration["CertThumbprint"];
x.ClientCertificateMode = ClientCertificateMode.NoCertificate;
x.ServerCertificate = GetCertificate(StoreLocation.LocalMachine, StoreName.CertificateAuthority, thumbprint);
});
});
webBuilder.UseStartup<Startup>();
});
在客户端中,不要自己创建通道,而是使用grpc客户端工厂:
services.AddGrpcClient<AuthServiceV1.AuthServiceV1Client>((sp, o) =>
{
var configuration = sp.GetRequiredService<IConfiguration>();
var serviceUrl = configuration["ServiceUrl"];
o.Address = new Uri(serviceUrl);
})
.AddInterceptor<ClientInterceptor>();
services.AddTransient<AuthService>();
最后是服务 class 本身:
public class AuthService
{
public AuthService(AuthServiceV1.AuthServiceV1Client client)
{
_client = client;
}
private readonly AuthServiceV1.AuthServiceV1Client _client;
...
}
}