SSL connection could not be established(The remote certificate is invalid according to the validation procedure)

Altair7610 commented 3 years ago

Environment:- Docker: Windows using Linux containers OS: Window 10 Microsoft.AspNetCore.App:3.1 Docker Image: mcr.microsoft.com/dotnet/core/aspnet:3.1-buster-slim

Im just stuck at certificates problem inside docker containers. I have two ASP.NET Core apps: one is auth and based on IS4, another is just an secured gRPC api. To call api i need to get token from IS4 and pass to gRPC channel. All of them are secured with valid SSL certificate. Also I have console app to test it. Getting token from IS4 container is no problem, but when i`m trying to call api method it breaks at

fail: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[3]

Exception occurred while processing message.

System.InvalidOperationException: IDX20803: Unable to obtain configuration from: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
---> System.IO.IOException: IDX20804: Unable to retrieve document from: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
at System.Net.Security.SslStream.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)
at System.Net.Security.SslStream.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslStream.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslStream.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslStream.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslStream.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslStream.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslStream.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslStream.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslStream.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslStream.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslStream.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslStream.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslStream.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslStream.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslStream.PartialFrameCallback(AsyncProtocolRequest asyncRequest)
--- End of stack trace from previous location where exception was thrown ---
at System.Net.Security.SslStream.ThrowIfExceptional()
at System.Net.Security.SslStream.InternalEndProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.Security.SslStream.EndProcessAuthentication(IAsyncResult result)
at System.Net.Security.SslStream.EndAuthenticateAsClient(IAsyncResult asyncResult)
at System.Net.Security.SslStream.<>c.<AuthenticateAsClientAsync>b__65_1(IAsyncResult iar)
at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)
--- End of stack trace from previous location where exception was thrown ---
at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
--- End of inner exception stack trace ---
at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean allowHttp2, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.GetHttpConnectionAsync(HttpRequestMessage request, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken)
at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
at System.Net.Http.DiagnosticsHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
at System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task`1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts)
at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel)
--- End of inner exception stack trace ---
at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel)
at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever.GetAsync(String address, IDocumentRetriever retriever, CancellationToken cancel)
at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
--- End of inner exception stack trace ---
at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()

fail: Microsoft.AspNetCore.Server.Kestrel[13]

Connection id "0HM5P7KUJJ5HV", Request id "0HM5P7KUJJ5HV:00000001": An unhandled exception was thrown by the application.

System.InvalidOperationException: IDX20803: Unable to obtain configuration from: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
---> System.IO.IOException: IDX20804: Unable to retrieve document from: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
at System.Net.Security.SslStream.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)
at System.Net.Security.SslStream.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslStream.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslStream.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslStream.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslStream.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslStream.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslStream.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslStream.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslStream.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslStream.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslStream.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslStream.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslStream.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslStream.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslStream.PartialFrameCallback(AsyncProtocolRequest asyncRequest)
--- End of stack trace from previous location where exception was thrown ---
at System.Net.Security.SslStream.ThrowIfExceptional()
at System.Net.Security.SslStream.InternalEndProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.Security.SslStream.EndProcessAuthentication(IAsyncResult result)
at System.Net.Security.SslStream.EndAuthenticateAsClient(IAsyncResult asyncResult)
at System.Net.Security.SslStream.<>c.<AuthenticateAsClientAsync>b__65_1(IAsyncResult iar)
at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)
--- End of stack trace from previous location where exception was thrown ---
at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
--- End of inner exception stack trace ---
at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean allowHttp2, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.GetHttpConnectionAsync(HttpRequestMessage request, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken)
at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
at System.Net.Http.DiagnosticsHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
at System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task`1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts)
at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel)
--- End of inner exception stack trace ---
at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel)
at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever.GetAsync(String address, IDocumentRetriever retriever, CancellationToken cancel)
at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
--- End of inner exception stack trace ---
at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.AuthenticateAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationService.AuthenticateAsync(HttpContext context, String scheme)
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)

when attempts to connect to https://myaddress/.well-known/openid-configuration. But when I run cli console inside api container and run curl https://myaddress/.well-known/openid-configuration it works and I get json answer.

My ConfigureServices method in gRPC API:

services.AddAuthentication(options =>
            {
                options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
                options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
            }).AddJwtBearer(o =>
            {
                o.Authority = "https://myaddress:443";
                o.Audience = "resourceapi";
                ////o.RequireHttpsMetadata = true;
                ////o.MetadataAddress = "https://myaddress:443/.well-known/openid-configuration";
            });

            services.AddAuthorization(options =>
            {
                options.AddPolicy("ApiReader", policy => policy.RequireClaim("scope", "api.read"));
                options.AddPolicy("Consumer", policy => policy.RequireClaim(ClaimTypes.Role, "user"));
            });

curl output from container:

   Trying 192.168.0.50...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x55969cae0f90)
* Connected to myaddress (192.168.0.50) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=*.myaddress 
*  start date: Nov 23 11:26:02 2020 GMT
*  expire date: Feb 21 11:26:02 2021 GMT
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55969cae0f90)
> GET /.well-known/openid-configuration HTTP/2
> Host: myaddress 
> User-Agent: curl/7.64.0
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200
< date: Fri, 15 Jan 2021 09:42:32 GMT
< content-type: application/json; charset=UTF-8
< server: Kestrel
<
{"issuer":"https://myaddress","jwks_uri":"https://myaddress/.well-known/openid-configuration/jwks","authorization_endpoint":"https://myaddress/connect/authorize","token_endpoint":"https://myaddress/connect/token","userinfo_endpoint":"https://myaddress/connect/userinfo","end_session_endpoint":"https://myaddress/connect/endsession","check_session_iframe":"https://myaddress/connect/checksession","revocation_endpoint":"https://myaddress/connect/revocation","introspection_endpoint":"https://myaddress/connect/introspect","device_authorization_endpoint":"https://myaddress/connect/deviceauthorization","frontchannel_logout_supported":true,"frontchannel_logout_session_supported":true,"backchannel_logout_supported":true,"backchannel_logout_session_supported":true,"scopes_supported":["openid","email","profile","api* Connection #0 to host myaddress left intact
.read","offline_access"],"claims_supported":["sub","email","email_verified","name","family_name","given_name","middle_name","nickname","preferred_username","profile","picture","website","gender","birthdate","zoneinfo","locale","updated_at"],"grant_types_supported":["authorization_code","client_credentials","refresh_token","implicit","password","urn:ietf:params:oauth:grant-type:device_code"],"response_types_supported":["code","token","id_token","id_token token","code id_token","code token","code id_token token"],"response_modes_supported":["form_post","query","fragment"],"token_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post"],"id_token_signing_alg_values_supported":["RS256"],"subject_types_supported":["public"],"code_challenge_methods_supported":["plain","S256"],"request_parameter_supported":true}#

Doesn`t seem that its docker problem (curl is working), any ideas?

ghost commented 3 years ago

Tagging subscribers to this area: @dotnet/ncl See info in area-owners.md if you want to be subscribed.

Issue Details

Environment:- Docker: Windows using Linux containers OS: Window 10 Microsoft.AspNetCore.App:3.1 Docker Image: mcr.microsoft.com/dotnet/core/aspnet:3.1-buster-slim Im just stuck at certificates problem inside docker containers. I have two ASP.NET Core apps: one is auth and based on IS4, another is just an secured gRPC api. To call api i need to get token from IS4 and pass to gRPC channel. All of them are secured with valid SSL certificate. Also I have console app to test it. Getting token from IS4 container is no problem, but when i`m trying to call api method it breaks at ``` fail: Microsoft.AspNetCore.Server.Kestrel[13] Connection id "0HM5P5G3MUH7E", Request id "0HM5P5G3MUH7E:00000001": An unhandled exception was thrown by the application. System.InvalidOperationException: IDX20803: Unable to obtain configuration from: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. ---> System.IO.IOException: IDX20804: Unable to retrieve document from: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. ---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure. ``` when attempts to connect to ```https://myaddress/.well-known/openid-configuration```. But when I run cli console inside api container and run ```curl https://myaddress/.well-known/openid-configuration``` it works and I get json answer. My ```ConfigureServices``` method in gRPC API: ``` services.AddAuthentication(options => { options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme; options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme; }).AddJwtBearer(o => { o.Authority = "https://myaddress:443"; o.Audience = "resourceapi"; ////o.RequireHttpsMetadata = true; ////o.MetadataAddress = "https://myaddress:443/.well-known/openid-configuration"; }); services.AddAuthorization(options => { options.AddPolicy("ApiReader", policy => policy.RequireClaim("scope", "api.read")); options.AddPolicy("Consumer", policy => policy.RequireClaim(ClaimTypes.Role, "user")); }); ``` ```curl``` output from container: ``` Trying 192.168.0.50... * TCP_NODELAY set * Expire in 200 ms for 4 (transfer 0x55969cae0f90) * Connected to myaddress (192.168.0.50) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * ALPN, server accepted to use h2 * Server certificate: * subject: CN=*.myaddress * start date: Nov 23 11:26:02 2020 GMT * expire date: Feb 21 11:26:02 2021 GMT * issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3 * SSL certificate verify ok. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0x55969cae0f90) > GET /.well-known/openid-configuration HTTP/2 > Host: myaddress > User-Agent: curl/7.64.0 > Accept: */* > * Connection state changed (MAX_CONCURRENT_STREAMS == 100)! < HTTP/2 200 < date: Fri, 15 Jan 2021 09:42:32 GMT < content-type: application/json; charset=UTF-8 < server: Kestrel < {"issuer":"https://myaddress","jwks_uri":"https://myaddress/.well-known/openid-configuration/jwks","authorization_endpoint":"https://myaddress/connect/authorize","token_endpoint":"https://myaddress/connect/token","userinfo_endpoint":"https://myaddress/connect/userinfo","end_session_endpoint":"https://myaddress/connect/endsession","check_session_iframe":"https://myaddress/connect/checksession","revocation_endpoint":"https://myaddress/connect/revocation","introspection_endpoint":"https://myaddress/connect/introspect","device_authorization_endpoint":"https://myaddress/connect/deviceauthorization","frontchannel_logout_supported":true,"frontchannel_logout_session_supported":true,"backchannel_logout_supported":true,"backchannel_logout_session_supported":true,"scopes_supported":["openid","email","profile","api* Connection #0 to host myaddress left intact .read","offline_access"],"claims_supported":["sub","email","email_verified","name","family_name","given_name","middle_name","nickname","preferred_username","profile","picture","website","gender","birthdate","zoneinfo","locale","updated_at"],"grant_types_supported":["authorization_code","client_credentials","refresh_token","implicit","password","urn:ietf:params:oauth:grant-type:device_code"],"response_types_supported":["code","token","id_token","id_token token","code id_token","code token","code id_token token"],"response_modes_supported":["form_post","query","fragment"],"token_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post"],"id_token_signing_alg_values_supported":["RS256"],"subject_types_supported":["public"],"code_challenge_methods_supported":["plain","S256"],"request_parameter_supported":true}# ``` Doesn`t seem that its docker problem (curl is working), any ideas?

Author:	Altair7610
Assignees:	-
Labels:	`area-System.Net.Security`, `untriaged`
Milestone:	-

karelz commented 3 years ago

Couple of high-level ideas:

Can you try your isolated repro on .NET 5?
On .NET Core 3.1, can you try to disable SocketsHttpHandler to see if our curl integration will work? ... Note: It will not help in .NET 5, but at least it may help us narrow down the root cause a bit more.

Altair7610 commented 3 years ago

@karelz I've tried .NET 5, but there's a problem with root CA certificate chain, and we have instant crash at start. With disabling SocketsHttpHandler on .NET Core 3.1 I got more luck, it isn't crashed with SSL after invoke, but throwed status code 401 "Unauthenticated"

karelz commented 3 years ago

The "Unauthenticated" (on 3.1 with disabled SocketsHttpHandler) feels like what you're getting in the original post "The remote certificate is invalid according to the validation procedure." ... which is weird as it uses curl under the hood. So apparently there is some difference in available certificates between command line curl and .NET with or without curl. Maybe that is the root of the problem? @wfurt will likely know more ...

Is 5.0 failing perhaps as #46654?

Altair7610 commented 3 years ago

@karelz yeah, everything is exactly the same as in the #46654. Most likely I’ll have to wait until a new 5.0 build which fix that is released. Maybe @wfurt will advice something :) So far I had to deploy the authentication service to iis

wfurt commented 3 years ago

It was confirmed that installing root CA fixes the problem. You can try it in mean time @Altair7610 It is curious that nothing posted on this issue relates to the #46654 e.g. that one is server problem but all posted traces show client side.

Altair7610 commented 3 years ago

@wfurt I installed the root CA certficate inside the container and checked it in the certificates list by invoking awk command, but it doesn't change the situation. This call is cross-server and when I removed second service from docker and deployed it to iis everything worked.

wfurt commented 3 years ago

You claimed that this is same as #46654 but there is no evidence for that from what you posted. And you provided no information about the certificate and the chain. All the details could matter.

Why don't you add something like this to your validation callback and check why the certificate is being rejected.

                handler.ServerCertificateCustomValidationCallback = (request, cert, chain, errors) =>
                {
                    Console.WriteLine($"SslPolicyErrors: {errors}");

                    if (chain == null)
                    {
                        Console.WriteLine("No chain...");
                    }
                    else
                    {
                        foreach (X509ChainElement element in chain.ChainElements)
                        {
                            Console.WriteLine();
                            Console.WriteLine(element.Certificate.Subject);
                            Console.WriteLine(element.ChainElementStatus.Length);
                            foreach (X509ChainStatus status in element.ChainElementStatus)
                            {
                                Console.WriteLine($"Status:  {status.Status}: {status.StatusInformation}");
                            }
                        }
                    }
               }

karelz commented 3 years ago

Closing as there is not enough information to make it actionable. Feel free to reopen once more info is collected/available.

dotnet / runtime

SSL connection could not be established(The remote certificate is invalid according to the validation procedure) #47035