ASP.Net Core 3 The remote certificate is invalid on MacOs

后端 未结 2 1300
盖世英雄少女心
盖世英雄少女心 2021-01-22 08:35

When I try to call an API method using identityserver4, I tried before on Windows and it is working fine only in Mac OS I faced this issue and I don´t know what is happened and

2条回答
  •  迷失自我
    2021-01-22 09:06

    Dotnet dev-certs don't work on Linux or Mac.
    That is because the dev-tools issue an incorrect root certificate.
    Windows apparently accepts incorrect root certificates...

    What you need to do is this:

    • create a root certificate
    • add this to your machine's root certificate store
    • sign the SSL-certificate with that root certificate.

    Alternatively, you can just ignore SSL-errors:
    if (hostingEnvironment.IsDevelopment())
    {
       System.Net.ServicePointManager.ServerCertificateValidationCallback += 
          (sender, certificate, chain, sslPolicyErrors) => true;
    }
    

    Or you can write a more complex Validation-Callback, that just ignores untrusted root certificates:

    /// 
    ///     This is to take care of SSL certification validation which are not issued by Trusted Root CA.
    /// 
    /// The sender.
    /// The certificate.
    /// The chain.
    /// The errors.
    /// 
    /// 
    public static bool RemoteCertValidate(object sender
        , System.Security.Cryptography.X509Certificates.X509Certificate certificate
        , System.Security.Cryptography.X509Certificates.X509Chain chain
        , System.Net.Security.SslPolicyErrors sslPolicyErrors)
    {
        // If the certificate is a valid, signed certificate, return true.
        if (sslPolicyErrors == System.Net.Security.SslPolicyErrors.None)
        {
            return true;
        }
    
        // Logger.Current.Error("X509Certificate [{0}] Policy Error: '{1}'", certificate.Subject, sslPolicyErrors);
    
    
        // If there are errors in the certificate chain, look at each error to determine the cause.
        if ((sslPolicyErrors & System.Net.Security.SslPolicyErrors.RemoteCertificateChainErrors) != 0)
        {
            if (chain != null && chain.ChainStatus != null)
            {
                foreach (System.Security.Cryptography.X509Certificates.X509ChainStatus status in chain.ChainStatus)
                {
                    if ((certificate.Subject == certificate.Issuer) &&
                       (status.Status == System.Security.Cryptography.X509Certificates.X509ChainStatusFlags.UntrustedRoot))
                    {
                        // Self-signed certificates with an untrusted root are valid. 
                        continue;
                    }
                    else if (status.Status == System.Security.Cryptography.X509Certificates.X509ChainStatusFlags.NotTimeValid)
                    {
                        // Ignore Expired certificates
                        continue;
                    }
                    else
                    {
                        if (status.Status != System.Security.Cryptography.X509Certificates.X509ChainStatusFlags.NoError)
                        {
                            // If there are any other errors in the certificate chain, the certificate is invalid,
                            // so the method returns false.
                            return false;
                        }
                    }
                } // Next status 
    
            } // End if (chain != null && chain.ChainStatus != null) 
    
            // When processing reaches this line, the only errors in the certificate chain are 
            // untrusted root errors for self-signed certificates (, or expired certificates). 
            // These certificates are valid for default Exchange server installations, so return true.
            return true;
        } // End if ((sslPolicyErrors & System.Net.Security.SslPolicyErrors.RemoteCertificateChainErrors) != 0) 
    
        return false;
    }
    

    And add that to ServerCertificateValidationCallback:

    System.Net.ServicePointManager.ServerCertificateValidationCallback += 
        new System.Net.Security.RemoteCertificateValidationCallback(RemoteCertValidate);
    

提交回复
热议问题