我有以下场景:
我正在使用 dev-certs https 创建自签名证书作为有效证书。 (有关更多详细信息,请参阅https://learn.microsoft.com/en-us/aspnet/core/security/docker-compose-https?view=aspnetcore-6.0)
我创建了一个 docker compose 文件来使用此配置(简化版本)运行应用程序:
services:
idp:
build: ./Identity
ports:
- "5000:80"
- "7000:443"
environment:
- ASPNETCORE_ENVIRONMENT=Development
- ASPNETCORE_URLS=https://+:443;http://+:80
- ASPNETCORE_HTTPS_PORT=7000
- ASPNETCORE_Kestrel__Certificates__Default__Path=/https/Identity.pfx
- ASPNETCORE_Kestrel__Certificates__Default__Password=<the-identity-password>
- SIGNCRED_PATH=/https/SignCred.pfx #required for Duende IdentityServer to sign tokens
- SIGNCRED_PASS=<another-password>
volumes:
- my_data:/https
networks:
- my_net
cli2:
build: ./Client2
ports:
- "5002:80"
- "7002:443"
environment:
- ASPNETCORE_ENVIRONMENT=Development
- ASPNETCORE_URLS=https://+:443;http://+:80
- ASPNETCORE_HTTPS_PORT=7002
- ASPNETCORE_Kestrel__Certificates__Default__Path=/https/Client2.pfx
- ASPNETCORE_Kestrel__Certificates__Default__Password=<the-client2-password>
- AUTHORITY=https://idp #I think this is the main problem
volumes:
- my_data:/https
networks:
- my_net
volumes:
my_data:
driver: local
driver_opts:
type: none
device: C:\Users\<my-user>\.aspnet\https
o: bind
networks:
my_net:
driver: bridge
当我尝试从 client2 应用程序登录时,出现以下错误:
cli2 | fail: Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware[1]
cli2 | An unhandled exception has occurred while executing the request.
cli2 | System.InvalidOperationException: IDX20803: Unable to obtain configuration from: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
cli2 | ---> System.IO.IOException: IDX20804: Unable to retrieve document from: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
cli2 | ---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
cli2 | ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure: RemoteCertificateNameMismatch, RemoteCertificateChainErrors
根据我的理解,使用容器名称“idp”不起作用,因为我创建的自签名证书是针对“localhost”的,所以我无法使用容器名称。但我也无法使用“localhost”,因为它将尝试解析容器内的内部地址,而不是 idp 容器本地主机。
有什么帮助吗?
我为 Docker 主机创建了一个 DNS 名称为 host.docker.internal 的自签名证书,但仍然遇到类似的问题,即客户端应用程序不信任 IdP 的证书。
由于证书链错误,远程证书无效:UntrustedRoot