docker 中的 Identityserver 4 compose 根据验证程序,远程证书无效
Identityserver 4 in docker compose The remote certificate is invalid according to the validation procedure
我正在尝试将 IdentityServer 4 配置为在 Docker 中工作,身份服务器容器本身是 运行,但我无法从客户端连接到它。
我的申请包括:
- API
- 客户
- Identityserver4
我的 docker 写的像
services:
client:
image: ${DOCKER_REGISTRY-}client
ports:
- '6001:80'
build:
context: .
dockerfile: UI/client.UI/Dockerfile
depends_on:
- db
identityserver:
image: ${DOCKER_REGISTRY-}identityserver
ports:
- '5001:443'
build:
context: .
dockerfile: Security/IdentityServer/Dockerfile
depends_on:
- db
apiservice:
image: ${DOCKER_REGISTRY-}apiservice
build:
context: .
dockerfile: API/Services/api.Service/Dockerfile
depends_on:
- db
db:
image: "mcr.microsoft.com/mssql/server:2019-latest"
environment:
SA_PASSWORD: "PaSSw0rd"
ACCEPT_EULA: "Y"
MSSQL_PID: Express
ports:
- "1433:1433"
volumes:
- mssql-volume:/var/opt/mssql
networks:
default:
driver: bridge
volumes:
mssql-volume:
我的身份服务器StartUpclass:
public void ConfigureServices(IServiceCollection services)
{
....
var builder = services.AddIdentityServer(options =>
{
options.Events.RaiseErrorEvents = true;
options.Events.RaiseInformationEvents = true;
options.Events.RaiseFailureEvents = true;
options.Events.RaiseSuccessEvents = true;
options.UserInteraction.LoginUrl = "/Account/Login";
options.UserInteraction.LogoutUrl = "/Account/Logout";
options.Authentication = new AuthenticationOptions()
{
CookieLifetime = TimeSpan.FromHours(10), // ID server cookie timeout set to 10 hours
CookieSlidingExpiration = true
};
options.IssuerUri = "https://172.20.16.1:5001";
})
.AddConfigurationStore(options => // this adds the config data from DB (clients, resources)
{
...
})
.AddOperationalStore(options =>// this adds the operational data from DB (codes, tokens, consents)
{
...
})
.AddDeveloperSigningCredential()
.AddAspNetIdentity<ApplicationUser>();
}
我的客户StartUpclass:
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(options =>
{
options.DefaultScheme = "cookie";
options.DefaultChallengeScheme = "oidc";
})
.AddCookie("cookie")
.AddOpenIdConnect("oidc", options =>
{
options.Authority = "https://172.20.16.1:5001";
options.RequireHttpsMetadata = false;
options.ClientId = "ClientMVC";
options.ClientSecret = "SuperSecretPassword";
options.SaveTokens = true;
options.ResponseType = "code";
options.UsePkce = true;
options.ResponseMode = "query";
options.GetClaimsFromUserInfoEndpoint = true;
options.Scope.Clear();
options.Scope.Add("openid");
.. some scopes
});
}
我收到以下错误
AuthenticationException: The remote certificate is invalid according to the validation procedure:
RemoteCertificateNameMismatch, RemoteCertificateChainErrors
System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception)
HttpRequestException: The SSL connection could not be established, see inner exception.
System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(bool async, Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
IOException: IDX20804: Unable to retrieve document from: 'System.String'.
Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(string address, CancellationToken cancel)
InvalidOperationException: IDX20803: Unable to obtain configuration from: 'System.String'.
Microsoft.IdentityModel.Protocols.ConfigurationManager.GetConfigurationAsync(CancellationToken cancel)
我尝试使用以下命令添加证书
dotnet dev-certs https -ep %USERPROFILE%\.aspnet\https\IdentityServer.pfx -p passw0rd!
dotnet dev-certs https --trust
但这会将证书添加到 localhost,这在这种情况下无效。
对此有任何帮助吗?
你不能像这样使用 URL:https://172.20.16.1:5001
HTTPS 需要证书,因此您需要一个域名。当我将 IdentityServer 部署为容器 (Azure Container Registry) 时,我将签名密钥、数据保护密钥和 HTTPS 证书放入 Azure Key Vault。
感谢@Tore 在他的回答中提供的有用提示
我按照以下步骤使身份服务器在 docker
中工作
- 更改
identityserver的配置使其在iis中工作
没有 SSL.
- 然后更改
docker的配置
容器和 docker compose 通过删除任何 SSL 相关
配置。
- 运行 来自
docker compose 的应用程序和
一切正常
- 对
配置以确保这将在生产中更改为
包括
SSL 证书。
我正在尝试将 IdentityServer 4 配置为在 Docker 中工作,身份服务器容器本身是 运行,但我无法从客户端连接到它。
我的申请包括:
- API
- 客户
- Identityserver4
我的 docker 写的像
services:
client:
image: ${DOCKER_REGISTRY-}client
ports:
- '6001:80'
build:
context: .
dockerfile: UI/client.UI/Dockerfile
depends_on:
- db
identityserver:
image: ${DOCKER_REGISTRY-}identityserver
ports:
- '5001:443'
build:
context: .
dockerfile: Security/IdentityServer/Dockerfile
depends_on:
- db
apiservice:
image: ${DOCKER_REGISTRY-}apiservice
build:
context: .
dockerfile: API/Services/api.Service/Dockerfile
depends_on:
- db
db:
image: "mcr.microsoft.com/mssql/server:2019-latest"
environment:
SA_PASSWORD: "PaSSw0rd"
ACCEPT_EULA: "Y"
MSSQL_PID: Express
ports:
- "1433:1433"
volumes:
- mssql-volume:/var/opt/mssql
networks:
default:
driver: bridge
volumes:
mssql-volume:
我的身份服务器StartUpclass:
public void ConfigureServices(IServiceCollection services)
{
....
var builder = services.AddIdentityServer(options =>
{
options.Events.RaiseErrorEvents = true;
options.Events.RaiseInformationEvents = true;
options.Events.RaiseFailureEvents = true;
options.Events.RaiseSuccessEvents = true;
options.UserInteraction.LoginUrl = "/Account/Login";
options.UserInteraction.LogoutUrl = "/Account/Logout";
options.Authentication = new AuthenticationOptions()
{
CookieLifetime = TimeSpan.FromHours(10), // ID server cookie timeout set to 10 hours
CookieSlidingExpiration = true
};
options.IssuerUri = "https://172.20.16.1:5001";
})
.AddConfigurationStore(options => // this adds the config data from DB (clients, resources)
{
...
})
.AddOperationalStore(options =>// this adds the operational data from DB (codes, tokens, consents)
{
...
})
.AddDeveloperSigningCredential()
.AddAspNetIdentity<ApplicationUser>();
}
我的客户StartUpclass:
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(options =>
{
options.DefaultScheme = "cookie";
options.DefaultChallengeScheme = "oidc";
})
.AddCookie("cookie")
.AddOpenIdConnect("oidc", options =>
{
options.Authority = "https://172.20.16.1:5001";
options.RequireHttpsMetadata = false;
options.ClientId = "ClientMVC";
options.ClientSecret = "SuperSecretPassword";
options.SaveTokens = true;
options.ResponseType = "code";
options.UsePkce = true;
options.ResponseMode = "query";
options.GetClaimsFromUserInfoEndpoint = true;
options.Scope.Clear();
options.Scope.Add("openid");
.. some scopes
});
}
我收到以下错误
AuthenticationException: The remote certificate is invalid according to the validation procedure:
RemoteCertificateNameMismatch, RemoteCertificateChainErrors
System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception)HttpRequestException: The SSL connection could not be established, see inner exception.
System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(bool async, Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)IOException: IDX20804: Unable to retrieve document from: 'System.String'.
Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(string address, CancellationToken cancel)
InvalidOperationException: IDX20803: Unable to obtain configuration from: 'System.String'.
Microsoft.IdentityModel.Protocols.ConfigurationManager.GetConfigurationAsync(CancellationToken cancel)
我尝试使用以下命令添加证书
dotnet dev-certs https -ep %USERPROFILE%\.aspnet\https\IdentityServer.pfx -p passw0rd!
dotnet dev-certs https --trust
但这会将证书添加到 localhost,这在这种情况下无效。
对此有任何帮助吗?
你不能像这样使用 URL:https://172.20.16.1:5001
HTTPS 需要证书,因此您需要一个域名。当我将 IdentityServer 部署为容器 (Azure Container Registry) 时,我将签名密钥、数据保护密钥和 HTTPS 证书放入 Azure Key Vault。
感谢@Tore 在他的回答中提供的有用提示
我按照以下步骤使身份服务器在 docker
中工作- 更改
identityserver的配置使其在iis中工作 没有SSL. - 然后更改
docker的配置 容器和docker compose通过删除任何SSL相关 配置。 - 运行 来自
docker compose的应用程序和 一切正常 - 对
配置以确保这将在生产中更改为
包括
SSL证书。