ids4生产环境部署https openssl(identity server4)
ids4生产环境部署https openssl(identity server4)
发表于2020-09-01
1、生成证书:
需要密码》
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 3650
或者
不需要密码
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 3650
2、导出证书未pfx格式
openssl pkcs12 -export -in cert.pem -inkey key.pem -out ids4.pfx
要求输入证书密码(lanhu)
3、使用证书
keyFilePath=“c:\ids4.pfx”
builder.AddSigningCredential(new X509Certificate2(keyFilePath, keyFilePassword));
1、*****************************https-https
客户端应用:
认证中心:
2、************************************http-http
客户端应用:
认证中心:
3、************************************http-https
客户端应用:
认证中心:
有这个提示:
The information you have entered on this page will be sent over an insecure connection and could be read by a third party.
Are you sure you want to send this information?
***************************************************************************************************************************
问题:
集成身份认证数据库时:
"DBConnString": "Data Source=.;Initial Catalog=IdentityServer4;Integrated Security=SSPI;"
用户 'IIS APPPOOL\admin' 登录失败。 原因: 基于令牌的服务器访问验证失败,出现基础结构错误。请检查以前的错误
在IIS管理器中——》应用程序池——》ASP.NETV4.0————》高级设置——》标识——》改为localSystem
证书路径问题:
2020-08-03 14:17:45.049 +08:00 [FTL] Unhandled exception: No signing credential is configured.
System.InvalidOperationException: No signing credential is configured.
at IdentityServer4.ResponseHandling.AuthorizeResponseGenerator.CreateCodeAsync(ValidatedAuthorizeRequest request)
at IdentityServer4.ResponseHandling.AuthorizeResponseGenerator.CreateHybridFlowResponseAsync(ValidatedAuthorizeRequest request)
at IdentityServer4.ResponseHandling.AuthorizeResponseGenerator.CreateResponseAsync(ValidatedAuthorizeRequest request)
at IdentityServer4.Endpoints.AuthorizeEndpointBase.ProcessAuthorizeRequestAsync(NameValueCollection parameters, ClaimsPrincipal user, ConsentResponse consent)
at IdentityServer4.Endpoints.AuthorizeCallbackEndpoint.ProcessAsync(HttpContext context)
at IdentityServer4.Endpoints.AuthorizeCallbackEndpoint.ProcessAsync(HttpContext context)
at IdentityServer4.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IEndpointRouter router, IUserSession session, IEventService events, IBackChannelLogoutService backChannelLogoutService)
2020-08-03 14:17:45.049 +08:00 [ERR] An unhandled exception has occurred while executing the request.
System.InvalidOperationException: No signing credential is configured.
at IdentityServer4.ResponseHandling.AuthorizeResponseGenerator.CreateCodeAsync(ValidatedAuthorizeRequest request)
at IdentityServer4.ResponseHandling.AuthorizeResponseGenerator.CreateHybridFlowResponseAsync(ValidatedAuthorizeRequest request)
at IdentityServer4.ResponseHandling.AuthorizeResponseGenerator.CreateResponseAsync(ValidatedAuthorizeRequest request)
at IdentityServer4.Endpoints.AuthorizeEndpointBase.ProcessAuthorizeRequestAsync(NameValueCollection parameters, ClaimsPrincipal user, ConsentResponse consent)
at IdentityServer4.Endpoints.AuthorizeCallbackEndpoint.ProcessAsync(HttpContext context)
at IdentityServer4.Endpoints.AuthorizeCallbackEndpoint.ProcessAsync(HttpContext context)
at IdentityServer4.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IEndpointRouter router, IUserSession session, IEventService events, IBackChannelLogoutService backChannelLogoutService)
at IdentityServer4.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IEndpointRouter router, IUserSession session, IEventService events, IBackChannelLogoutService backChannelLogoutService)
at IdentityServer4.Hosting.MutualTlsEndpointMiddleware.Invoke(HttpContext context, IAuthenticationSchemeProvider schemes)
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at IdentityServer4.Hosting.BaseUrlMiddleware.Invoke(HttpContext context)
Host terminated unexpectedly.
证书权限问题:
Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: 出现了内部错误。
at Internal.Cryptography.Pal.CertificatePal.FilterPFXStore(Byte[] rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags)
at Internal.Cryptography.Pal.CertificatePal.FromBlobOrFile(Byte[] rawData, String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags)
at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(String fileName, String password)
解决办法:(不需要应用标识改为LocalSystem,ApplicationPoolIdentity就行)
1、设置IIS用户和IUser有证书pfx所在目录的权限
2、mmc导入pfx证书,自动类型
3、 引入的时候指定参数
builder.AddSigningCredential(new X509Certificate2(keyFilePath, keyFilePassword, X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.MachineKeySet));
*******************************************************************************************
初始调用:X509Certificate2 certificate = new X509Certificate2(input.Path, CER_PASSWORD);
相关译文:
MachineKeySet被描述为“私钥存储在本地计算机存储中而不是当前用户存储”。没有标志的默认值是放在用户存储中。
即使您正在从磁盘读取证书并将其存储在对象中,私钥仍存储在Microsoft Cryptographic API加密服务提供程序密钥数据库中。在托管服务器上,ASP.NET进程没有访问用户存储的权限。
有两个可能原因(我两个问题都遇到了):
1.权限不足
解决办法:提升程序池权限为LocalSystem,如下图
2.秘钥没有读取到,提示:出现了内部错误
修改了X509Certificate2声明后,提示“权限不足”,X509Certificate2如下声明:
X509Certificate2 certificate = new X509Certificate2(input.Path, CER_PASSWORD, X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.MachineKeySet);
然后按照,第一种解决方法即可。
PS:注意没有安装证书的,需要先双击证书文件
