查看 OPENSSLDIR 路径终极解决方案
1、查看 OPENSSLDIR 路径
$ openssl version -a
2、然后把 CentOS 默认的 openssl CA证书拷贝过来。
$ cp /etc/pki/tls/cert.pem /usr/local/openssl/
参考连接:https://lamjack.github.io/2018/05/11/centos-compile-openssl-missing-ca-bundle-crt/
忽略以下
============================================================
DOTNET CORE 部署 Centos7 抛出异常
环境变量如下:
.NET Core SDK (reflecting any global.json):
Version: 2.2.401
Commit: 729b316c13
Runtime Environment:
OS Name: centos
OS Version: 7
OS Platform: Linux
RID: centos.7-x64
Base Path: /usr/share/dotnet/sdk/2.2.401/
Host (useful for support):
Version: 2.2.6
Commit: 7dac9b1b51
.NET Core SDKs installed:
2.2.401 [/usr/share/dotnet/sdk]
.NET Core runtimes installed:
Microsoft.AspNetCore.All 2.2.6 [/usr/share/dotnet/shared/Microsoft.AspNetCore.All]
Microsoft.AspNetCore.App 2.2.6 [/usr/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.NETCore.App 2.2.6 [/usr/share/dotnet/shared/Microsoft.NETCore.App]
To install additional .NET Core runtimes or SDKs:
https://aka.ms/dotnet-download
测试代码:
using System; using System.Diagnostics; using System.Net.Http; using System.Net.Http.Headers; namespace TestHttpClient { class Program { static void Main(string[] args) { try { using (var httpClient = new HttpClient()) { httpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json")); string url = "https://jsonplaceholder.typicode.com/posts/1"; var response = httpClient.GetAsync(url).Result; string jsonResult = response.Content.ReadAsStringAsync().Result; } } catch (Exception ex) { Debug.WriteLine(ex.ToString()); } } } }
服务器抛出异常:
System.AggregateException: One or more errors occurred. (The SSL connection could not be established, see inner exception.) ---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.PartialFrameCallback(AsyncProtocolRequest asyncRequest)
……………………………………………………
OR
The remote certificate is invalid according to the validation procedure.
解决方案:
By defining the System.Net.Http.UseSocketsHttpHandler
switch in the .netcore.runtimeconfig.json configuration file:
"runtimeOptions": { "configProperties": { "System.Net.Http.UseSocketsHttpHandler": false } }
=====================
以上可以解决问题,但不是根本解决
问题分析如下:
后续请参考以下:
using System; using System.Diagnostics; using System.Net; using System.Net.Http; using System.Net.Http.Headers; using System.Net.Security; using System.Security.Cryptography.X509Certificates; using System.Threading.Tasks; namespace ConsoleClientTest { internal class Program { private static async Task Main(string[] args) { try { //AppContext.SetSwitch("System.Net.Http.UseSocketsHttpHandler", false); using (var httpClientHandler = new HttpClientHandler()) { httpClientHandler.ServerCertificateCustomValidationCallback = (message, certificate, chain, sslPolicyErrors) => { Console.WriteLine(" ===================message================== {0}", message.ToString()); Console.WriteLine(" ==================cert================== {0}", certificate.ToString()); Console.WriteLine(" ==================chain================== {0}", chain.ToString()); Console.WriteLine(" ==================chain status================== {0}", chain.ChainStatus.ToString()); Console.WriteLine(" ==================errors================== {0}", sslPolicyErrors.ToString()); Console.WriteLine(" ==================================================== "); Console.WriteLine($"Received certificate with subject {certificate.Subject}"); Console.WriteLine(" ==================================================== "); Console.WriteLine($"Current policy errors: {sslPolicyErrors}"); Console.WriteLine(" ==================================================== "); if (sslPolicyErrors == SslPolicyErrors.None) return true; else { if ((SslPolicyErrors.RemoteCertificateNameMismatch & sslPolicyErrors) == SslPolicyErrors.RemoteCertificateNameMismatch) { Console.WriteLine("证书名称不匹配{0}", sslPolicyErrors); } if ((SslPolicyErrors.RemoteCertificateChainErrors & sslPolicyErrors) == SslPolicyErrors.RemoteCertificateChainErrors) { foreach (X509ChainStatus status in chain.ChainStatus) { Console.WriteLine("status code = {0}", status.Status); Console.WriteLine("Status info = {0}", status.StatusInformation); } } Console.WriteLine("证书验证失败{0}", sslPolicyErrors); } return false; }; Console.WriteLine(" ==================================================== "); using (var httpClient = new HttpClient(httpClientHandler)) { httpClient.DefaultRequestHeaders.Accept.Add( new MediaTypeWithQualityHeaderValue("application/json")); const string url = "https://jsonplaceholder.typicode.com/posts/1"; using (var response = await httpClient.GetAsync(url)) { var jsonResult = await response.Content.ReadAsStringAsync(); Console.WriteLine(jsonResult); } } } } catch (Exception ex) { Console.WriteLine(ex.ToString()); } } } }
通过以上代码,打印出以下语句
Status info = unable to get local issuer certificate trustasia
回想起昨天编译Nginx,手动安装了OPENSSL,版本问题,恢复后,一切正常