C# grpc 服务器端唯一证书

Question

有人知道如何配置 grpc 以使用仅服务器端证书（不是默认开发证书）的示例吗？ 所以没有客户端证书，只是一个用于加密通道的服务器端证书。

我创建了一个自签名 pfx 并将其导入到受信任的根证书颁发机构。 使用以下配置atm：

            .ConfigureWebHostDefaults(webBuilder =>
            {
                webBuilder.ConfigureKestrel(o =>
                {
                    o.ConfigureHttpsDefaults(x =>
                    {
                        x.ClientCertificateMode = ClientCertificateMode.NoCertificate;
                        x.ServerCertificate = GetCertificate(StoreLocation.LocalMachine, StoreName.CertificateAuthority, "<thumbprint>");
                    });
                });
                webBuilder.UseStartup<Startup>();
            });

  "profiles": {
"Aeternum.ServiceHost": {
  "commandName": "Project",
  "dotnetRunMessages": "true",
  "launchBrowser": false,
  "applicationUrl": "https://localhost:15425",  //the pfx was created for localhost
  "environmentVariables": {
    "ASPNETCORE_ENVIRONMENT": "Development"
  }
}

  "Kestrel": {
"Url": "https://*:15425",
"EndpointDefaults": {
  "Protocols": "Http2"
}

用这个客户端试试（我很确定 ChannelCredentials.Insecure 不正确，但我不知道还能做什么）：

        var channel = new Channel(rootUri.Host, _rootUri.Port, ChannelCredentials.Insecure);
        return new AuthServiceV1.AuthServiceV1Client(channel);

目前我在客户端遇到了这个异常（没有 ssl 一切似乎都可以正常工作）：

Status(StatusCode="Unavailable", Detail="无法连接所有地址", DebugException="Grpc.Core.Internal.CoreErrorDetailException: {"created":"@1628428855.871000000","description":"Failed to选择子频道","file":"......\src\core\ext\filters\client_channel\client_channel.cc","file_line":3009,"referenced_errors":[{"created":"@1628428855.871000000 ","description":"连接所有地址失败","file":"......\src\core\ext\filters\client_channel\lb_policy\pick_first\pick_first.cc","file_line": 398,"grpc_status":14}]}")

谢谢。

Answer 1

所以我找到了解决办法。

服务器：

  "CertThumbprint": "<certificate thumbprint>",
  "Kestrel": {
    "EndpointDefaults": {
      "Url": "https://*:15425",
      "Protocols": "Http2"
    }
  },

        .ConfigureWebHostDefaults(webBuilder =>
        {
            webBuilder.ConfigureKestrel((context, options) =>
            {
                options.ConfigureHttpsDefaults(x =>
                {
                    var thumbprint = context.Configuration["CertThumbprint"];
                    x.ClientCertificateMode = ClientCertificateMode.NoCertificate;
                    x.ServerCertificate = GetCertificate(StoreLocation.LocalMachine, StoreName.CertificateAuthority, thumbprint);
                });
            });
            webBuilder.UseStartup<Startup>();
        });

在客户端，不要自己创建通道，而是使用grpc客户端工厂：

    services.AddGrpcClient<AuthServiceV1.AuthServiceV1Client>((sp, o) =>
        {
            var configuration = sp.GetRequiredService<IConfiguration>();
            var serviceUrl = configuration["ServiceUrl"];
            o.Address = new Uri(serviceUrl);
        })
        .AddInterceptor<ClientInterceptor>();

services.AddTransient<AuthService>();

最后是服务类本身：

    public class AuthService
    {
        public AuthService(AuthServiceV1.AuthServiceV1Client client)
        {
            _client = client;
        }

        private readonly AuthServiceV1.AuthServiceV1Client _client;

        ...
    }
}