I have two API projects, one that's based on the .NET Framework 4.6.2 (an old API) and one that's based on .NET Core 2.0. The old API can disable self-signed certificate validation quite simply:
System.Net.ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
However this code does not work in .NET Core (even though it compiles fine), and it is causing me issues when the API tries to communicate (specifically when it tries to get the discovery document from the identity server, which is behind a reverse proxy which, in this environment, has a self-signed certificate that it uses for https). I've seen similar questions on StackOverflow but all the answers have to do with how the HttpClient is created. The issue for me is that I have no control over how the HttpClient is created (the token validation is middleware and I don't see any way to control how it's creating the HttpClient), so I'm wondering if there is a global way in .NET Core to skip self-signed certificate validation?
EDIT: my issue seems closely related to this issue, however I have taken the self-signed certificated and loaded it into the trusted root of both the container (where the api is running) and my local machine (where the container is running) and I still get the certificate validation errors.
I should have looked more closely at the JwtBearerOptions, turns out I could set options.BackchannelHttpHandler
, e.g.: options.BackchannelHttpHandler = new HttpClientHandler { ServerCertificateCustomValidationCallback = delegate { return true; } };
-- now it works as expected.
EDIT: although it is possible to skip certificate validation in .NET Core, I eventually abandoned this approach because it became too cumbersome to find all the components that had an HttpClient and to modify the HttpClient to skip cert validation. The approach I eventually went with was to create a CA using easy-rsa and then to generate certs signed by the CA. Then the only step is to import the CA cert into the containers and they'll trust the other certs. It may sound like a lot but the easy-rsa command interface is fairly straight-forward and it really doesn't end up being that much effort.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With