我在Azure中有一个Web角色,它必须连接到一个受SSL保护的外部Web服务。当应用程序试图连接到Web服务,它给了一个错误:从Azure连接到HTTPS Web服务
Could not establish trust relationship for the SSL/TLS secure channel with authority 'certname.organization.org'.
,它需要被上传到Azure中的服务证书,但由于某些原因,它似乎并没有被正确地证书引用它或使用它。
有关如何解决这个问题的任何想法?
听起来好像您的Azure服务客户端对您所调用的外部服务的SSL证书不满意 - 您是否拥有对该服务的控制权?
您可以通过以下从客户端忽略了Azure的SSL错误测试:
ServicePointManager.ServerCertificateValidationCallback =
(obj, certificate, chain, errors) => true;
我已经看到了这个问题,间歇性为好。在我的情况下,事实证明,获得一个根证书的网络连接有时会超时。然后在未来的请求,它会再次工作。
我最终编写了一个自定义回调函数,让我感兴趣的特定证书尽管出现错误,但不影响其他证书的验证。以下是我的代码。正如你可能知道的那样,我试图打击Android Cloud-to-Device Messaging终端,并尝试解决Google使用的通配证书问题,但这应该是可以推广的。这也有我用来诊断特定错误的所有记录。即使您不想强制验证证书,日志代码也可以帮助您决定如何继续。
private static readonly Uri PUSH_URI = new Uri("https://android.apis.google.com/c2dm/send", UriKind.Absolute);
/**
//The following function needs to be wired up in code somewhere else, like this:
ServicePointManager.ServerCertificateValidationCallback += ValidateDodgyGoogleCertificate;
**/
/// <summary>
/// Validates the SSL server certificate. Note this is process-wide code.
/// Wrote a custom one because the certificate used for Google's push endpoint is not for the correct domain. Go Google.
/// </summary>
/// <param name="sender">either a host name string, or an object derived from WebRequest</param>
/// <param name="cert">The certificate used to authenticate the remote party.</param>
/// <param name="chain">The chain of certificate authorities associated with the remote certificate.</param>
/// <param name="sslPolicyErrors">One or more errors associated with the remote certificate.</param>
/// <returns>
/// Returns a boolean value that determines whether the specified
/// certificate is accepted for authentication; true to accept or false to
/// reject.
/// </returns>
private static bool ValidateDodgyGoogleCertificate(object sender, X509Certificate cert, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
if (sslPolicyErrors == SslPolicyErrors.None)
{
// Good certificate.
return true;
}
string hostName = sender as string;
if (hostName == null)
{
WebRequest senderRequest = sender as WebRequest;
if (senderRequest != null)
{
hostName = senderRequest.RequestUri.Host;
}
}
//We want to get past the Google name mismatch, but not allow any other errors
if (sslPolicyErrors != SslPolicyErrors.RemoteCertificateNameMismatch)
{
StringBuilder sb = new StringBuilder();
sb.AppendFormat("Rejecting remote server SSL certificate from host \"{0}\" issued to Subject \"{1}\" due to errors: {2}", hostName, cert.Subject, sslPolicyErrors);
if ((sslPolicyErrors | SslPolicyErrors.RemoteCertificateChainErrors) != SslPolicyErrors.None)
{
sb.AppendLine();
sb.AppendLine("Chain status errors:");
foreach (var chainStatusItem in chain.ChainStatus)
{
sb.AppendFormat("Chain Item Status: {0} StatusInfo: {1}", chainStatusItem.Status, chainStatusItem.StatusInformation);
sb.AppendLine();
}
}
log.Info(sb.ToString());
return false;
}
if (PUSH_URI.Host.Equals(hostName, StringComparison.InvariantCultureIgnoreCase))
{
return true;
}
log.Info("Rejecting remote server SSL certificate from host \"{0}\" issued to Subject \"{1}\" due to errors: {2}", hostName, cert.Subject, sslPolicyErrors);
return false;
}
忽略SSL错误是您可以做的一件事。
但是,如果它在您的机器上运行,并且它不适用于您的实例,那么实例上的证书链可能还不完整。您需要在您的计算机上打开证书,然后转至认证路径并导出路径中的每个证书。
然后,将这些证书添加到您的项目,并有启动任务(.bat或.cmd文件),将它们添加到受信任的根CA:
REM Install certificates.
certutil -addstore -enterprise -f -v root Startup\Certificates\someROOTca.cer
certutil -addstore -enterprise -f -v root Startup\Certificates\otherROOTca.cer
不幸的是,因为这是Azure,所以我们不能在命令行上运行任何东西,但我会尝试您关于打破链中证书的建议。 – 2012-04-06 12:29:14
实际上,您可以使用启动任务运行此操作:http://blog.smarx.com/posts/windows-azure-startup-tasks-tips-tricks-and-gotchas – 2012-04-11 08:10:13
我加入了CER到我的项目的根并选择“始终复制”,然后使用以下命令将天蓝色连接到带有SSL自签功能的服务器
REM Install certificates.
certutil -addstore -enterprise -f -v root startsodev.cer
不幸的是,我无法控制它。当我在本地测试(不使用Azure模拟器)时,它连接并正常工作。这似乎是Azure无法找到正确证书的权限问题。我确实尝试了你的建议,并且非常感谢。然而,这更像是一种解决方法。 – 2012-04-05 16:25:34