Authentication error: The remote certificate is invalid according to the validation procedure #20766
Description
I run my application in a Linux container using Kubernetes behind an ingress load balancer. The container is based on mcr.microsoft.com/dotnet/core-nightly/aspnet:5.0. I use GitHub for authentication and this is my headers when using curl.
➜ ~ curl -v -s https://wieldy.local.computer 1> /dev/null
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to wieldy.local.computer (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [235 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [102 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [962 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [300 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [37 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; ST=New York; L=Rochester; O=Wieldy; OU=Development; CN=localhost
* start date: Feb 28 16:09:13 2020 GMT
* expire date: Feb 27 16:09:13 2021 GMT
* subjectAltName: host "wieldy.local.computer" matched cert's "wieldy.local.computer"
* issuer: C=US; ST=New York; L=Rochester; O=Wieldy; OU=Development; CN=localhost
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fa88280f000)
> GET / HTTP/2
> Host: wieldy.local.computer
> User-Agent: curl/7.64.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
< server: nginx/1.17.7
< date: Sun, 12 Apr 2020 07:32:46 GMT
< content-type: text/html; charset=utf-8
< vary: Accept-Encoding
< strict-transport-security: max-age=15724800; includeSubDomains
<
{ [3949 bytes data]
* Connection #0 to host wieldy.local.computer left intact
* Closing connection 0The error occurs when the /signin-github endpoint is hit and this is the stack trace.
trce: Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector[5]
Performing unprotect operation to key {42a05523-0ddb-4081-9bd5-ca847a90353f} with purposes ('SharedCookieApp', 'Microsoft.AspNetCore.Authentication.OAuth.OAuthHandler1[[Microsoft.AspNetCore.Authentication.OAuth.OAuthOptions, Microsoft.AspNetCore.Authentication.OAuth, Version=5.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60]]', 'GitHub', 'v1'). info: Microsoft.AspNetCore.Authentication.OAuth.OAuthHandler1[[Microsoft.AspNetCore.Authentication.OAuth.OAuthOptions, Microsoft.AspNetCore.Authentication.OAuth, Version=5.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60]][4]
Error from RemoteAuthentication: The SSL connection could not be established, see inner exception..
fail: Microsoft.AspNetCore.Server.Kestrel[13]
Connection id "0HLUUML3KGLUS", Request id "0HLUUML3KGLUS:0000000C": An unhandled exception was thrown by the application.
System.Exception: An error was encountered while handling the remote login.
---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
at System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception)
at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
--- End of inner exception stack trace ---
at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean allowHttp2, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.GetHttpConnectionAsync(HttpRequestMessage request, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken)
at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
at System.Net.Http.DiagnosticsHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
at System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts, CancellationToken callerToken, Int64 timeoutTime) at Microsoft.AspNetCore.Authentication.OAuth.OAuthHandler1.ExchangeCodeAsync(OAuthCodeExchangeContext context)
at Microsoft.AspNetCore.Authentication.OAuth.OAuthHandler1.HandleRemoteAuthenticateAsync() at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler1.HandleRequestAsync()
--- End of inner exception stack trace ---
at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler1.HandleRequestAsync() at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context) at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication1 application)
Is this a known issue or how can we troubleshoot this further?