我在Azure中有一個Web角色,它必須連接到一個受SSL保護的外部Web服務。當應用程序試圖連接到Web服務,它給了一個錯誤:從Azure連接到HTTPS Web服務
Could not establish trust relationship for the SSL/TLS secure channel with authority 'certname.organization.org'.
,它需要被上傳到Azure中的服務證書,但由於某些原因,它似乎並沒有被正確地證書引用它或使用它。
有關如何解決這個問題的任何想法?
聽起來好像您的Azure服務客戶端對您所調用的外部服務的SSL證書不滿意 - 您是否擁有對該服務的控制權?
您可以通過以下從客戶端忽略了Azure的SSL錯誤測試:
ServicePointManager.ServerCertificateValidationCallback =
(obj, certificate, chain, errors) => true;
我已經看到了這個問題,間歇性爲好。在我的情況下,事實證明,獲得一個根證書的網絡連接有時會超時。然後在未來的請求,它會再次工作。
我最終編寫了一個自定義回調函數,讓我感興趣的特定證書儘管出現錯誤,但不影響其他證書的驗證。以下是我的代碼。正如你可能知道的那樣,我試圖打擊Android Cloud-to-Device Messaging終端,並嘗試解決Google使用的通配證書問題,但這應該是可以推廣的。這也有我用來診斷特定錯誤的所有記錄。即使您不想強制驗證證書,日誌代碼也可以幫助您決定如何繼續。
private static readonly Uri PUSH_URI = new Uri("https://android.apis.google.com/c2dm/send", UriKind.Absolute);
/**
//The following function needs to be wired up in code somewhere else, like this:
ServicePointManager.ServerCertificateValidationCallback += ValidateDodgyGoogleCertificate;
**/
/// <summary>
/// Validates the SSL server certificate. Note this is process-wide code.
/// Wrote a custom one because the certificate used for Google's push endpoint is not for the correct domain. Go Google.
/// </summary>
/// <param name="sender">either a host name string, or an object derived from WebRequest</param>
/// <param name="cert">The certificate used to authenticate the remote party.</param>
/// <param name="chain">The chain of certificate authorities associated with the remote certificate.</param>
/// <param name="sslPolicyErrors">One or more errors associated with the remote certificate.</param>
/// <returns>
/// Returns a boolean value that determines whether the specified
/// certificate is accepted for authentication; true to accept or false to
/// reject.
/// </returns>
private static bool ValidateDodgyGoogleCertificate(object sender, X509Certificate cert, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
if (sslPolicyErrors == SslPolicyErrors.None)
{
// Good certificate.
return true;
}
string hostName = sender as string;
if (hostName == null)
{
WebRequest senderRequest = sender as WebRequest;
if (senderRequest != null)
{
hostName = senderRequest.RequestUri.Host;
}
}
//We want to get past the Google name mismatch, but not allow any other errors
if (sslPolicyErrors != SslPolicyErrors.RemoteCertificateNameMismatch)
{
StringBuilder sb = new StringBuilder();
sb.AppendFormat("Rejecting remote server SSL certificate from host \"{0}\" issued to Subject \"{1}\" due to errors: {2}", hostName, cert.Subject, sslPolicyErrors);
if ((sslPolicyErrors | SslPolicyErrors.RemoteCertificateChainErrors) != SslPolicyErrors.None)
{
sb.AppendLine();
sb.AppendLine("Chain status errors:");
foreach (var chainStatusItem in chain.ChainStatus)
{
sb.AppendFormat("Chain Item Status: {0} StatusInfo: {1}", chainStatusItem.Status, chainStatusItem.StatusInformation);
sb.AppendLine();
}
}
log.Info(sb.ToString());
return false;
}
if (PUSH_URI.Host.Equals(hostName, StringComparison.InvariantCultureIgnoreCase))
{
return true;
}
log.Info("Rejecting remote server SSL certificate from host \"{0}\" issued to Subject \"{1}\" due to errors: {2}", hostName, cert.Subject, sslPolicyErrors);
return false;
}
忽略SSL錯誤是您可以做的一件事。
但是,如果它在您的機器上運行,並且它不適用於您的實例,那麼實例上的證書鏈可能還不完整。您需要在您的計算機上打開證書,然後轉至認證路徑並導出路徑中的每個證書。
然後,將這些證書添加到您的項目,並有啓動任務(.bat或.cmd文件),將它們添加到受信任的根CA:
REM Install certificates.
certutil -addstore -enterprise -f -v root Startup\Certificates\someROOTca.cer
certutil -addstore -enterprise -f -v root Startup\Certificates\otherROOTca.cer
不幸的是,因爲這是Azure,所以我們不能在命令行上運行任何東西,但我會嘗試您關於打破鏈中證書的建議。 – 2012-04-06 12:29:14
實際上,您可以使用啓動任務運行此操作:http://blog.smarx.com/posts/windows-azure-startup-tasks-tips-tricks-and-gotchas – 2012-04-11 08:10:13
我加入了CER到我的項目的根並選擇「始終複製」,然後使用以下命令將天藍色連接到帶有SSL自籤功能的服務器
REM Install certificates.
certutil -addstore -enterprise -f -v root startsodev.cer
不幸的是,我無法控制它。當我在本地測試(不使用Azure模擬器)時,它連接並正常工作。這似乎是Azure無法找到正確證書的權限問題。我確實嘗試了你的建議,並且非常感謝。然而,這更像是一種解決方法。 – 2012-04-05 16:25:34