Can't authenticate to Identity server SSL handshake error

0
votes

Background. I need to get my site to authenticate through IdentityServer (IDS). "example.com"

I'm building all of my sites with DotNetCore Hosting them on a proxy server using apache let's call the private ip 12.3.4.5.

How they should work. I go to site example.com I should be able to talk to ids.exampe.com get authentication info and then be rerouted back to example.com with an auth token. Instead, I get a SSL handshake error. See below.

I'm specifically asking for help with getting the sites to trust one another.

However, if I try to authenticate by going directly to IDS site, no problem!! Golden! So as you can see, it's only when I try to communicate between sites that I get this issue.

An unhandled exception occurred while processing the request.
OpenSslCryptographicException: error:14094410:SSL 
routines:ssl3_read_bytes:sslv3 alert handshake failure
Unknown location

SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL.
Interop+OpenSsl.DoSslHandshake(SafeSslHandle context, byte[] recvBuf, int 
recvOffset, int recvCount, out byte[] sendBuf, out int sendCount)

AuthenticationException: Authentication failed, see inner exception.
System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken 
message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo 
exception)

HttpRequestException: The SSL connection could not be established, see 
inner exception.
System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream 
stream, SslClientAuthenticationOptions sslOptions, CancellationToken 
cancellationToken)

IOException: IDX20804: Unable to retrieve document from: 
'https://ids.example.com/.well-known/openid-


 configuration'.Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocu 
mentAsync(string address, CancellationToken cancel)

InvalidOperationException: IDX20803: Unable to obtain configuration from: 
'https://ids.example.com/.well-known/openid-configuration'.

Microsoft.IdentityModel.Protocols.ConfigurationManager.GetConfigurationAsyn c(CancellationToken cancel)

httpd.conf ::

# ServerRoot "/etc/httpd" LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule ssl_module modules/mod_ssl.so

<VirtualHost *:*>
  RequestHeader set X-Forwarded-Proto "%{REQUEST_SCHEME}s"
</VirtualHost>


<VirtualHost *:443>
 ServerName ids.example.com
 SSLEngine on
 SSLProxyEngine on
 SSLProtocol all -SSLv2
 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:!RC4+RSA:+HIGH:+MEDIUM:!LOW:!RC4
 SSLProxyVerify none 
 SSLProxyCheckPeerCN off
 SSLProxyCheckPeerName off

 SSLProxyCheckPeerExpire off

 SSLCertificateKeyFile /etc/httpd/ssl/example.key 
 SSLCertificateFile    /etc/httpd/ssl/example.crt
 SSLVerifyClient require
 SSLVerifyDepth 10
 SSLCACertificateFile /etc/httpd/ssl/DoD_CAs.pem
 SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
 ProxyPreserveHost on

 ProxyPass                   /       http://x.x.x.x:5008/
 ProxyPassReverse         /       http://x.x.x.x:5008/

</VirtualHost>



 # Main Site VirtualHost
<VirtualHost *:443>
 ServerName example.com
# SSL settings
 SSLEngine on
 SSLProxyEngine on
 SSLProtocol all -SSLv2
 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:!RC4+RSA:+HIGH:+MEDIUM:!LOW:!RC4
 SSLProxyVerify none 
 SSLProxyCheckPeerCN off
 SSLProxyCheckPeerName off
 SSLProxyCheckPeerExpire off
 SSLCertificateKeyFile /etc/httpd/ssl/example.key
 SSLCertificateFile    /etc/httpd/ssl/example.crt
# Client Verification
 SSLVerifyClient require
 SSLVerifyDepth 10
 SSLCACertificateFile /etc/httpd/ssl/DoD_CAs.pem
 RequestHeader set X-ARR-ClientCert "%{SSL_CLIENT_S_DN}s"
 SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
# Redirects
 ProxyPreserveHost on
 ProxyPass                /       http://x.x.x.x:5022/
 ProxyPassReverse         /       http://x.x.x.x:5022/
</VirtualHost>
1
apachesslreverse-proxyidentityserver4

1 Answers

0
votes

The error was in the http.conf file

I was using the SSLCACertificateFile directive when I should have been using SSLCACertificatePath directive...

Basically what was happening was I could authenticate with a DOD CAC pki, but once the dot.net core app tried to send into from one sever to the other, it would get a handshake error because the sites were using a self signed cert. My cert was in the correct place all along, however it was not trusting it because the SSLCACertificateFile directive says only trust this, opposed to trust everything in this directory.

Also my network guy recomends that in the future, it's a best practice to use the 
SSLCAcertificateFile, but to then combine your certs into one.

I really hope this will save someone else what I just went though... I have been trouble shooting this for 40 hours or so now. Going back and forth from config files, to code base changes...