Microsoft.AspNetCore.Authentication.Certificate.CertificateAuthenticationHandler 证书验证失败
Microsoft.AspNetCore.Authentication.Certificate.CertificateAuthenticationHandler Certificate validation failed
我在生产验证证书时遇到了一些问题。我有以下设置。 ASP.NET 核心中的 Kestrel Web 服务器实现使用以下
public static IHostBuilder CreateHostBuilder(string[] args) =>
Host.CreateDefaultBuilder(args)
.ConfigureWebHostDefaults(webBuilder =>
{
string pass = @"my_complicated_password";
var cert = new X509Certificate2(@"C:\certs\my_server_cert.pfx", pass);
webBuilder.ConfigureKestrel(o =>
{
o.ConfigureHttpsDefaults(defaults =>
{
defaults.ServerCertificate = cert;
defaults.ClientCertificateMode = ClientCertificateMode.RequireCertificate;
defaults.AllowAnyClientCertificate();
});
});
webBuilder.UseKestrel(options =>
{
options.ListenAnyIP(8384, o =>
{
o.UseHttps();
});
});
webBuilder.UseContentRoot(Directory.GetCurrentDirectory());
webBuilder.UseStartup<Startup>();
});
}
现在,当我在本地 运行 时,我会看到以下内容
warn: Microsoft.AspNetCore.Server.Kestrel[0]
Overriding address(es) 'https://localhost:8384'. Binding to endpoints defined in UseKestrel() instead.
info: Microsoft.Hosting.Lifetime[0]
Now listening on: https://[::]:8384
info: Microsoft.Hosting.Lifetime[0]
Application started. Press Ctrl+C to shut down.
info: Microsoft.Hosting.Lifetime[0]
Hosting environment: Development
info: Microsoft.Hosting.Lifetime[0]
Content root path: C:\location_of_web_app
crit: MyNameSpace.CertificateValidationService[1]
WE ARE IN THE VALIDATE CERT SECTION
crit: MyNameSpace.CertificateValidationService[2]
THE CERT BEING PASSED WAS THE_PERSON```
这是我所期望的。但是,在生产中,我看到以下内容:
info: Microsoft.Hosting.Lifetime[0]
Now listening on: https://[::]:8384
info: Microsoft.Hosting.Lifetime[0]
Application started. Press Ctrl+C to shut down.
info: Microsoft.Hosting.Lifetime[0]
Hosting environment: Production
info: Microsoft.Hosting.Lifetime[0]
Content root path: C:\my_app_location
warn: Microsoft.AspNetCore.Authentication.Certificate.CertificateAuthenticationHandler[2]
Certificate validation failed, subject was [All the stuff
PartialChain A certificate chain could not be built to a trusted root authority.
RevocationStatusUnknown The revocation function was unable to check revocation for the certificate.
OfflineRevocation The revocation function was unable to check revocation because the revocation server was offline.
我正在尝试确定缺少的步骤是什么,但这有点超出我的专业知识范围
如 Hazrelle 所发,问题是生产服务器上的客户端证书链配置不正确。
我在生产验证证书时遇到了一些问题。我有以下设置。 ASP.NET 核心中的 Kestrel Web 服务器实现使用以下
public static IHostBuilder CreateHostBuilder(string[] args) =>
Host.CreateDefaultBuilder(args)
.ConfigureWebHostDefaults(webBuilder =>
{
string pass = @"my_complicated_password";
var cert = new X509Certificate2(@"C:\certs\my_server_cert.pfx", pass);
webBuilder.ConfigureKestrel(o =>
{
o.ConfigureHttpsDefaults(defaults =>
{
defaults.ServerCertificate = cert;
defaults.ClientCertificateMode = ClientCertificateMode.RequireCertificate;
defaults.AllowAnyClientCertificate();
});
});
webBuilder.UseKestrel(options =>
{
options.ListenAnyIP(8384, o =>
{
o.UseHttps();
});
});
webBuilder.UseContentRoot(Directory.GetCurrentDirectory());
webBuilder.UseStartup<Startup>();
});
}
现在,当我在本地 运行 时,我会看到以下内容
warn: Microsoft.AspNetCore.Server.Kestrel[0]
Overriding address(es) 'https://localhost:8384'. Binding to endpoints defined in UseKestrel() instead.
info: Microsoft.Hosting.Lifetime[0]
Now listening on: https://[::]:8384
info: Microsoft.Hosting.Lifetime[0]
Application started. Press Ctrl+C to shut down.
info: Microsoft.Hosting.Lifetime[0]
Hosting environment: Development
info: Microsoft.Hosting.Lifetime[0]
Content root path: C:\location_of_web_app
crit: MyNameSpace.CertificateValidationService[1]
WE ARE IN THE VALIDATE CERT SECTION
crit: MyNameSpace.CertificateValidationService[2]
THE CERT BEING PASSED WAS THE_PERSON```
这是我所期望的。但是,在生产中,我看到以下内容:
info: Microsoft.Hosting.Lifetime[0]
Now listening on: https://[::]:8384
info: Microsoft.Hosting.Lifetime[0]
Application started. Press Ctrl+C to shut down.
info: Microsoft.Hosting.Lifetime[0]
Hosting environment: Production
info: Microsoft.Hosting.Lifetime[0]
Content root path: C:\my_app_location
warn: Microsoft.AspNetCore.Authentication.Certificate.CertificateAuthenticationHandler[2]
Certificate validation failed, subject was [All the stuff
PartialChain A certificate chain could not be built to a trusted root authority.
RevocationStatusUnknown The revocation function was unable to check revocation for the certificate.
OfflineRevocation The revocation function was unable to check revocation because the revocation server was offline.
我正在尝试确定缺少的步骤是什么,但这有点超出我的专业知识范围
如 Hazrelle 所发,问题是生产服务器上的客户端证书链配置不正确。