在非开发环境中,在dotnet Kestrel主机中安装哪种SSL证书?

huangapple go评论66阅读模式
英文:

What SSL Cert to install in dotnet Kestrel host in non dev environment

问题

目前在AWS云中,我们将HTTPS-SSL终止在ALB,我正在尝试将HTTPS SSL/TLS转发到容器。

我可以在启动时配置SSL

builder.WebHost.ConfigureKestrel(options =>
{
    options.Listen(IPAddress.Any, 5002, listenOptions =>
    {
        listenOptions.Protocols = HttpProtocols.Http1AndHttp2AndHttp3;
        listenOptions.UseHttps(<CERTPATH>, <PASSPHRASE>);
    });
});

我尝试获取AWS证书管理器证书,使用以下代码

var exportCertificateResponse = await acmClient.GetCertificateAsync(new GetCertificateRequest()
{
    CertificateArn = builder.Configuration["AWS:CertificateArn"],
});

但是此证书没有私钥,因此无法直接使用。

所以我想我可能在使用错误类型的证书。感谢任何帮助。

当前的Docker文件

FROM mcr.microsoft.com/dotnet/aspnet:6.0 AS base
WORKDIR /app
EXPOSE 5002

FROM mcr.microsoft.com/dotnet/sdk:6.0 AS build
WORKDIR /src
COPY ["WebApi/WebApi.csproj", "WebApi/"]
RUN dotnet restore "WebApi/WebApi.csproj"
COPY . .
WORKDIR "/src/WebApi"
RUN dotnet build "WebApi.csproj" -c Release -o /app/build

FROM build AS publish
RUN dotnet publish "WebApi.csproj" -c Release -o /app/publish /p:UseAppHost=false

FROM base AS final
WORKDIR /app
COPY --from=publish /app/publish .
ENTRYPOINT ["dotnet", "WebApi.dll"]

我应该只是在Docker中添加一个自签名证书吗?

英文:

Currently in AWS Cloud, we have the HTTPS-SSL terminated at the ALB, I am trying to Forward the HTTS SSL/TLS till the Container.

I can configure the SSL at the Start up

	
    builder.WebHost.ConfigureKestrel(options =&gt;
	{
		options.Listen(IPAddress.Any,5002, listenOptions =&gt;
		{
			   listenOptions.Protocols = HttpProtocols.Http1AndHttp2AndHttp3;
				listenOptions.UseHttps(&lt;CERTPATH&gt;, &lt;PASSPHRASE&gt;);
		});
	});

I tried getting the AWS Certificate Manager Cert, using the following code


	var exportCertificateResponse = await acmClient.GetCertificateAsync(new GetCertificateRequest()
	{
		CertificateArn = builder.Configuration[&quot;AWS:CertificateArn&quot;],
	});

But this certificate doesn't have the private key, so can't use this directly.

SO I guess I might be using the incorrect type of cert. Appreciate any help

Current dockerfile


FROM mcr.microsoft.com/dotnet/aspnet:6.0 AS base
WORKDIR /app
EXPOSE 5002

FROM mcr.microsoft.com/dotnet/sdk:6.0 AS build
WORKDIR /src
COPY [&quot;WebApi/WebApi.csproj&quot;, &quot;WebApi/&quot;]
RUN dotnet restore &quot;WebApi/WebApi.csproj&quot;
COPY . .
WORKDIR &quot;/src/WebApi&quot;
RUN dotnet build &quot;WebApi.csproj&quot; -c Release -o /app/build

FROM build AS publish
RUN dotnet publish &quot;WebApi.csproj&quot; -c Release -o /app/publish /p:UseAppHost=false

FROM base AS final
WORKDIR /app
COPY --from=publish /app/publish .
ENTRYPOINT [&quot;dotnet&quot;, &quot;WebApi.dll&quot;]

Should i just add a self signed cert to the docker?

答案1

得分: 0

AWS ACM SSL 证书免费,不能直接用在你的代码中。它们只能附加到负载均衡器、CloudFront 分发和 API 网关。如果你想在后端服务器上使用 SSL 证书,你需要以其他方式获取,比如通过 Let's Encrypt 或从 SSL 证书公司 购买

如果你想从后端服务器提供 SSL 证书而不是负载均衡器,你将无法使用应用负载均衡器。你需要切换到配置了 TCP 透传的网络负载均衡器。这样做意味着你将无法利用应用负载均衡器中可用的路径路由和重定向规则等功能。

如果你只想在负载均衡器和后端服务器之间实现端到端加密,你可以在后端服务器上安装自签名证书,因为负载均衡器不会验证后端 SSL 证书。

英文:

The free AWS ACM SSL certificates cannot be used directly in your code. They are only available to attach to load balancers, CloudFront distributions, and API Gateways. If you want to have an SSL certificate on your back-end server you will have to obtain one some other way, such as via Let's Encrypt, or by purchasing one from a SSL certificate company.

If you want to serve the SSL certificate from your backend server instead of the load balancer, you won't be able to use an Application Load Balancer. You will have to switch to a Network Load Balancer configured with TCP Passthrough. Doing this means you will not be able to take advantage of things like path routing and redirect rules that are available in Application Load Balancers.

If you just want to implement end-to-end encryption between the load balancer and your backend server, you could install a self-signed certificate on your backend server, because the load balancer does not do validation of the backend SSL certificate.

huangapple
  • 本文由 发表于 2023年3月4日 08:09:17
  • 转载请务必保留本文链接:https://go.coder-hub.com/75632841.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定