I use an OData service with an C# ASP.NET Core 3.1 service inside a docker container from SAP with a customer self-signed certificate.
In the meantime I have tried a thousand things, but the error persists.
System.InvalidOperationException: An error occurred while processing this request. mdt2oowvsap_1 | ---> System.Data.Services.Client.DataServiceTransportException: The SSL connection could not be established, see inner exception. The remote certificate is invalid according to the validation procedure.
Even the unsafe solutions like using HttpClientHandler.ServerCertificateCustomValidationCallback with direct return true did not change anything.
public MyService()
{
:
handler = new HttpClientHandler()
{
Credentials = new NetworkCredential(Username, Password, Domain),
PreAuthenticate = true,
ServerCertificateCustomValidationCallback = (message, cert, chain, sslPolicyErrors) =>
{
if (sslPolicyErrors == SslPolicyErrors.None)
{
logger.LogDebug($"No SSL policy errors!");
return true; //Is valid
}
logger.LogDebug($"Get certificate hash: {cert.GetCertHashString()}");
// From: https://stackoverflow.com/questions/2675133/c-sharp-ignore-certificate-errors
if (!String.IsNullOrEmpty(certificateHash) && cert.GetCertHashString().Equals(certificateHash))
{
// Get hash string via: openssl s_client -connect <host>:<port> < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin
// see: https://stackoverflow.com/questions/5164804/get-certificate-fingerprint-of-https-server-from-command-line
logger.LogDebug($"Using certificate hash: {certificateHash}");
return true;
}
return false;
},
UseCookies = true,
CookieContainer = cookieContainer
};
String[] files = Directory.GetFiles("./certs/", "*.*", SearchOption.TopDirectoryOnly);
logger.LogInformation($"Found {files.Length} certificate files");
// see: https://stackoverflow.com/questions/40014047/add-client-certificate-to-net-core-httpclient
foreach (string cfile in files)
{
try
{
logger.LogDebug($"Try adding {cfile} as trusted client certificate...");
handler.ClientCertificates.Add(new X509Certificate2(Path.GetFullPath(cfile)));
}catch(Exception e)
{
logger.LogInformation($"Exception while adding certificate file {cfile} to 'ClientCertificates'");
logger.LogError(e.ToString());
}
}
httpClient = new HttpClient(handler);
:
}
The last attempt was to download the certificate and give it to the HttpClientHandler using ClientCertificates.Add. Without success.
Using curl, passing this certificate file works.
$> curl --location --request GET 'https://customer.de:1234/sap/opu/odata/something/useful_srv' \
--header 'Authorization: Basic ABCDEFGHIJKLMNOPQRST='
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
:
$> echo -n | openssl s_client -connect customer.de:1234 -servername customer.de | \
openssl x509 > /full/path/to/customer.cert
depth=0 CN = customer.de
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = customer.de
verify return:1
DONE
$>
$> curl --location --cacert '/full/path/to/customer.cert' --request GET \
'https://customer.de:1234/sap/opu/odata/something/useful_srv' \
--header 'Authorization: Basic ABCDEFGHIJKLMNOPQRST='
<?xml version="1.0" encoding="utf-8"?><app:service xml:lang="de" xml:base="https:blablabla.../></app:service>
$> _
Does anyone have another idea?
Solutions viewed (incomplete):
- c-sharp-ignore-certificate-errors
- add-client-certificate-to-net-core-httpclient
- allowing-untrusted-ssl-certificates-with-httpclient
- how-do-i-add-a-ca-root-certificate-inside-a-docker-image
- the-ssl-connection-could-not-be-established
- c-sharp-core-3-1-getting-error-message-the-ssl-connection-could-not-be-establ
- the-ssl-connection-could-not-be-established-between-webapp-and-webapi-asp-core
- how-to-fix-the-ssl-connection-could-not-be-established-see-inner-exception-w
Thanks in advance.
CodePudding user response:
The solution to the problem was to make the "self-signed" certificate available to the Docker container or the operating system it contains (Ubuntu) and provide it with
cp certs/customer.cert /usr/local/share/ca-certificates/customer.crt &&
update-ca-certificates
Now the communication works over SSL.