证书验证失败:验证证书后,客户端证书验证失败 [英] Certificate validation failed: validation of client side certificate fails when the certificate is validated
问题描述
我正在尝试获得相互的客户端认证以在Azure中工作.我正在使用以下配置运行Web应用程序:
I am trying to get mutual client certification to work in Azure. I am running a web app with this configuration:
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
services
.AddAuthentication(CertificateAuthenticationDefaults.AuthenticationScheme)
.AddCertificate();
services.AddCertificateForwarding(options =>
options.CertificateHeader = "X-ARR-ClientCert");
services.AddHttpClient();
services.AddControllers();
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
app.UseAuthentication();
app.UseHttpsRedirection();
app.UseRouting();
app.UseCertificateForwarding();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
});
}
}
为此,我添加了扩展名,以便Web应用程序将客户端证书发送到我的应用程序.当我部署它时,这很好.我前面有cloudflare并启用了Origin Pull,并且我可以验证客户端证书是否通过发送.我可以看到,当我尝试直接在azurewebsites.net域上转到Web应用程序时,我的浏览器正在请求证书.如果我尝试浏览Cloudflare,它将显示该网页.我以为这是可行的,但是当我检查日志时,我得到了:
In extension to this, I have added so the web app sends the client certificate through to my app. When I deploy it, it is fine. I have cloudflare in front and have enabled the Origin Pull, and I can validate that the client certificate is sent through. I can see that when I try to go to the web app directly on the azurewebsites.net domain, my browser is asking for a certificate. If I try to go through Cloudflare, it will show the webpage. I thought this was working, but when I check the logs, I get this:
2020-07-02 13:30:52.711 +00:00 [信息] Microsoft.AspNetCore.Hosting.Diagnostics:请求启动HTTP/1.1 GET https://[REMOVED]/api/ping
2020-07-02 13:30:52.711 +00:00 [Information] Microsoft.AspNetCore.Hosting.Diagnostics: Request starting HTTP/1.1 GET https://[REMOVED]/api/ping
2020-07-02 13:30:52.718 +00:00 [Trace] Microsoft.AspNetCore.HostFiltering.HostFilteringMiddleware:允许所有主机.
2020-07-02 13:30:52.718 +00:00 [Trace] Microsoft.AspNetCore.HostFiltering.HostFilteringMiddleware: All hosts are allowed.
2020-07-02 13:30:53.107 +00:00 [警告] Microsoft.AspNetCore.Authentication.Certificate.CertificateAuthenticationHandler:证书验证失败,主题为OU = Origin Pull,O ="Cloudflare,Inc.,L =旧金山,S =加利福尼亚,C = US.UntrustedRoot证书链已处理但终止于受信任的提供者不信任的根证书.RevocationStatusUnknown吊销功能无法检查证书的吊销.OfflineRevocation吊销服务器处于脱机状态,吊销功能无法检查吊销.
2020-07-02 13:30:53.107 +00:00 [Warning] Microsoft.AspNetCore.Authentication.Certificate.CertificateAuthenticationHandler: Certificate validation failed, the subject was OU=Origin Pull, O="Cloudflare, Inc.", L=San Francisco, S=California, C=US.UntrustedRoot A certificate chain processed but terminated in a root certificate which is not trusted by the trusted provider. RevocationStatusUnknown The revocation function was unable to check revocation for the certificate.OfflineRevocation The revocation function was unable to check revocation because the revocation server was offline.
2020-07-02 13:30:53.107 +00:00 [信息] Microsoft.AspNetCore.Authentication.Certificate.CertificateAuthenticationHandler:证书未通过身份验证.失败消息:客户端证书验证失败.
2020-07-02 13:30:53.107 +00:00 [Information] Microsoft.AspNetCore.Authentication.Certificate.CertificateAuthenticationHandler: Certificate was not authenticated. Failure message: Client certificate failed validation.
2020-07-02 13:30:53.110 +00:00 [Debug] Microsoft.AspNetCore.Routing.Matching.DfaMatcher:为请求路径'/api/ping'找到1个候选对象
2020-07-02 13:30:53.110 +00:00 [Debug] Microsoft.AspNetCore.Routing.Matching.DfaMatcher: 1 candidate(s) found for the request path '/api/ping'
看来客户证书不被接受.应该是吗?我的意思是,这是Cloudflare.我在设置中做错了吗?我是否应该在自己的侧面安装一些额外的东西?我在这里浏览了此指南: https://support.cloudflare.com/hc/en-us/articles/204899617-Authenticated-Origin-Pulls ,它没有提及有关证书额外安装的任何内容.我是否应该在Web应用本身上安装origin-pull-ca.pem?
It looks like the client certificate isn't accepted. Should it be? I mean, it is Cloudflare. Am I doing something wrong in my setup? Should I install something extra on my side? I have looked through this guide here: https://support.cloudflare.com/hc/en-us/articles/204899617-Authenticated-Origin-Pulls and it doesn't mention anything about extra installation of certificates. Should I maybe install the origin-pull-ca.pem on the web app itself?
当我比较发送给我的证书和origin-pull-ca.pem时,两者不相等:
When I compare the certificate sent to me, with the origin-pull-ca.pem, the two is not equal:
- origin-pull-ca.pem:指纹:1F5BA8DCF83E6453DD75C47780906710901AD641(其他信息:CN = origin-pull.cloudflare.net,S =加利福尼亚,L =旧金山,OU =起源拉,O ="CloudFlare,Inc." ;, C = US)
- 从Cloudflare发送:指纹:A27996CBA564D24731BC76439C48920C1F7D4AA3(其他信息:OU = Origin Pull,O ="Cloudflare,Inc.",L =旧金山,S =加利福尼亚,C =美国)
他们不应该平等吗?
请注意:我不是证书,SSL等方面的专家.我试图在这里学习:)
Please note: I am not an expert into certificates, SSL, etc. I am trying to learn here :)
推荐答案
Exactly same question I asked here https://community.cloudflare.com/t/manual-authenticated-origin-pulls-verification/145614. Dunno why, but A27996CBA564D24731BC76439C48920C1F7D4AA3 it's correct.
使用链更新
public class CloudflareClientCertificateMiddleware
{
private static X509Certificate2 _cloudflareOriginPullCert;
private readonly RequestDelegate _next;
public CloudflareClientCertificateMiddleware(RequestDelegate next)
{
_next = next;
}
public async Task Invoke(HttpContext context)
{
if (_cloudflareOriginPullCert == null)
_cloudflareOriginPullCert = Helpers.CertificateHelper.GetCertificateInSpecifiedStore("origin-pull.cloudflare.net", StoreName.Root, StoreLocation.LocalMachine);
bool isCloudflareCertificate = true;
X509Certificate2 clientCertificate = context.Connection.ClientCertificate;
using (X509Chain chain = new X509Chain())
{
chain.ChainPolicy.ExtraStore.Add(_cloudflareOriginPullCert);
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
// https://stackoverflow.com/questions/6097671/how-to-verify-x509-cert-without-importing-root-cert (Azure)
//chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
// https://stackoverflow.com/a/7332193
if (clientCertificate == null || chain.Build(clientCertificate) == false)
isCloudflareCertificate = false;
// Make sure we have the same number of elements.
if (isCloudflareCertificate && chain.ChainElements.Count != chain.ChainPolicy.ExtraStore.Count + 1)
isCloudflareCertificate = false;
// Make sure all the thumbprints of the CAs match up.
// The first one should be 'primaryCert', leading up to the root CA.
if (isCloudflareCertificate)
{
for (int i = 1; i < chain.ChainElements.Count; i++)
{
if (chain.ChainElements[i].Certificate.Thumbprint != chain.ChainPolicy.ExtraStore[i - 1].Thumbprint)
isCloudflareCertificate = false;
}
}
}
if (isCloudflareCertificate)
await _next.Invoke(context);
else
context.Response.StatusCode = StatusCodes.Status403Forbidden;
}
}
这篇关于证书验证失败:验证证书后,客户端证书验证失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
