问题描述
在先前的四篇博文
1:【Azure APIM】APIM的自建网关如何解决自签名证书的受信任问题呢?(方案二)
2:【Azure APIM】APIM的自建网关如何解决自签名证书的受信任问题呢?(方案一)
3:【Azure APIM】如何解决后端API服务配置自签名证书时APIM请求报错500:Error occured while calling backend service
4:【Azure 环境】在Windows环境中使用OpenSSL生成自签名证书链步骤分享
我们分别介绍了使用OpenSSL生成自签名证书,然后解决APIM服务对自签名证书的信任问题。不论是APIM托管的网关,还是自建的网关都可以通过安装证书后使得请求受信任,通过配置API跳过证书验证环节。
本文这从“自建网关本身AKS POD” 方面入手,通过配置 SSL_CERT_FILE 环境变量,来安装自签名证书 (根证书和中间证书)到POD中。
经过AI大模型解答,在 AKS (Azure Kubernetes Service) 中访问使用自签名证书的 API,关键在于让客户端信任该证书,主要的思路是:
- 创建包含 CA 证书的 Secret
- 将自签名的 CA 证书文件 (例如 ca.crt) 导入到 AKS 集群
- 在应用部署的 YAML 文件中,将该 Secret 挂载到容器内,并设置 SSL_CERT_FILE 环境变量指向该证书
操作步骤
第一步:准备好中间证书和根证书合并一起的 .crt 内容
导出方法:通过浏览器导出中间证书+根证书的 crt 文件,其内容是 Base64 编码
第二步:创建Kubernetes Secret
将自签名的 CA 证书文件 (例如 my-inetr-ca.crt) 导入到 AKS 集群中:
命令:
kubectl create secret generic self-signed-ca --from-file="<the full path of my-inetr-ca.crt>"
结果:
第三步:在APIM的自建网关Pod中挂载证书
在应用部署的 YAML 文件中,将该 Secret 挂载到容器内,并设置 SSL_CERT_FILE 环境变量指向该证书
...volumeMounts:- name: ca-volumemountPath: /etc/ssl/certs/my-ca.crtsubPath: my-inetr-ca.crtenv:- name: SSL_CERT_FILEvalue: /etc/ssl/certs/my-ca.crt... volumes:- name: ca-volumesecret:secretName: self-signed-ca...
把从APIM获取的部署yaml内容,只修改如图中的三个位置,即可。
第四步:部署以上配置,后访问AKS Service External URL进行测试验证
# 部署kubectl apply -f "<apim self-hosted gateway yaml file>"#获取对外暴露的IP地址kubectl get services##测试访问自建网关中的APIcurl https://<external ip>/api -k
测试结果,成功通过证书验证及获取正确的结果:
如果没有配置SSL_CERT_FILE 及挂载证书,就会遇见500 Internal server error。如果进一步通过 kubectl logs <pod name> 查看GatewayLogs日志,就会发现详细错误:The remote certificate was rejected by the provided RemoteCertificateValidationCallback.
详细错误
[Info] 2026-01-23T07:26:27.251 [DnsResolutionScheduled], message: xselfca02.myxxxxx.com, source: RoundRobinNameResolver
[Info] 2026-01-23T07:26:27.252 [OutgoingTlsProtocolsSet], message: Tls, Tls11, Tls12, source: TcpChannelFactory
[Info] 2026-01-23T07:26:27.598 [CertificateInfoVerificationScheduled], message: thumbprint: 62BF1CFA2116828E3F0B3C7D8FB4C380CD2CE358, subjectName: CN=*.myxxxxx.com, O=My Self Server Org, S=Chongqing, C=CN (CRL URLs: ; AIA URLs: )
[Warn] 2026-01-23T07:26:27.601 [FailedToProcessRequest], ActivityId: d5d383dc-c395-4111-8558-2193f9bbb8ff, correlationId: d5d383dc-c395-4111-8558-2193f9bbb8ff, apiId: 69303f7730caebcf2a534309, operationId: get-home-page, tags: 20, httpMethod: GET, source: request-forwarder, serviceName: apim-gateway, exception: System.Security.Authentication.AuthenticationException: The remote certificate was rejected by the provided RemoteCertificateValidationCallback.
at System.Net.Security.SslStream.SendAuthResetSignal(ReadOnlySpan`1 alert, ExceptionDispatchInfo exception)
at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions)
at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken)
at Gateway.Http.Client.DotNetty.TcpChannelFactory.CreateChannelAsync(IPEndPoint endpoint, RequestedApplicationProtocol requestedApplicationProtocol, TlsInfo tlsMetadata, HttpProxy httpProxyMetadata, Int32 destinationPort, CancellationToken cancellationToken) in C:\__w\1\s\Proxy\Gateway.Http.Client.DotNetty\TcpChannelFactory.cs:line 116
at Gateway.Http.Client.DotNetty.EndpointPool.CreateAsyncInternal(IPipelineContext pipelineContext, ChannelPoolKey channelPoolKey, RequestedApplicationProtocol requestedApplicationProtocol, CancellationToken cancellationToken, GateInfo gateInfo) in C:\__w\1\s\Proxy\Gateway.Http.Client.DotNetty\EndpointPool.cs:line 307
at Gateway.Http.Client.DotNetty.EndpointPool.CreateAsync(IPipelineContext pipelineContext, ChannelPoolKey channelPoolKey, RequestedApplicationProtocol requestedApplicationProtocol, CancellationToken cancellationToken) in C:\__w\1\s\Proxy\Gateway.Http.Client.DotNetty\EndpointPool.cs:line 128
at Gateway.Http.Client.DotNetty.SingleThreadedBackendChannelPool.AcquireAsync(IPipelineContext context, CancellationToken cancellationToken) in C:\__w\1\s\Proxy\Gateway.Http.Client.DotNetty\SingleThreadedBackendChannelPool.cs:line 189
at Gateway.Http.Client.DotNetty.RoundRobinBackendChannelPool.Acquire0(Object state) in C:\__w\1\s\Proxy\Gateway.Http.Client.DotNetty\RoundRobinBackendChannelPool.cs:line 73
at Gateway.Http.Client.DotNetty.DotNettyHttpBackend.AcquireChannelAsync(IPipelineContext ctx, CancellationToken cancellationToken) in C:\__w\1\s\Proxy\Gateway.Http.Client.DotNetty\DotNettyHttpBackend.cs:line 791
at Gateway.Http.Client.DotNetty.DotNettyHttpBackend.ProcessAsync(IPipelineContext context, CancellationToken cancellation) in C:\__w\1\s\Proxy\Gateway.Http.Client.DotNetty\DotNettyHttpBackend.cs:line 172
at Microsoft.WindowsAzure.ApiManagement.Proxy.Gateway.Policies.PipelineWalker.ExecuteAsync(IPipelineContext context, IEnumerable`1 steps, CancellationToken cancellation) in C:\__w\1\s\Proxy\Gateway.Pipeline\PipelineWalker.cs:line 66
at Microsoft.WindowsAzure.ApiManagement.Proxy.Gateway.ChildPipeline.ExecuteAsync(IPipelineContext context, CancellationToken cancellationToken) in C:\__w\1\s\Proxy\Gateway.Pipeline\ChildPipeline.cs:line 35
at Gateway.Pipeline.Extensions.ValueTaskExtensions.Await[T](ValueTask`1 input) in C:\__w\1\s\Proxy\Gateway.Pipeline\Extensions\ValueTaskExtensions.cs:line 28
at Microsoft.WindowsAzure.ApiManagement.Proxy.Gateway.Policies.IO.CallServiceHandler.ProcessAsync(IPipelineContext context, CancellationToken cancellation) in C:\__w\1\s\Proxy\Gateway.Policies.General\IO\CallServiceHandler.cs:line 94
at Gateway.Http.Client.DotNetty.SingleThreadedBackendChannelPool.AcquireAsync(IPipelineContext context, CancellationToken cancellationToken) in C:\__w\1\s\Proxy\Gateway.Http.Client.DotNetty\SingleThreadedBackendChannelPool.cs:line 189
at Gateway.Http.Client.DotNetty.RoundRobinBackendChannelPool.Acquire0(Object state) in C:\__w\1\s\Proxy\Gateway.Http.Client.DotNetty\RoundRobinBackendChannelPool.cs:line 73
at Gateway.Http.Client.DotNetty.DotNettyHttpBackend.AcquireChannelAsync(IPipelineContext ctx, CancellationToken cancellationToken) in C:\__w\1\s\Proxy\Gateway.Http.Client.DotNetty\DotNettyHttpBackend.cs:line 791
at Gateway.Http.Client.DotNetty.DotNettyHttpBackend.ProcessAsync(IPipelineContext context, CancellationToken cancellation) in C:\__w\1\s\Proxy\Gateway.Http.Client.DotNetty\DotNettyHttpBackend.cs:line 172
at Microsoft.WindowsAzure.ApiManagement.Proxy.Gateway.Policies.PipelineWalker.ExecuteAsync(IPipelineContext context, IEnumerable`1 steps, CancellationToken cancellation) in C:\__w\1\s\Proxy\Gateway.Pipeline\PipelineWalker.cs:line 66
at Microsoft.WindowsAzure.ApiManagement.Proxy.Gateway.ChildPipeline.ExecuteAsync(IPipelineContext context, CancellationToken cancellationToken) in C:\__w\1\s\Proxy\Gateway.Pipeline\ChildPipeline.cs:line 35
at Gateway.Pipeline.Extensions.ValueTaskExtensions.Await[T](ValueTask`1 input) in C:\__w\1\s\Proxy\Gateway.Pipeline\Extensions\ValueTaskExtensions.cs:line 28
at Microsoft.WindowsAzure.ApiManagement.Proxy.Gateway.Policies.IO.CallServiceHandler.ProcessAsync(IPipelineContext context, CancellationToken cancellation) in C:\__w\1\s\Proxy\Gateway.Policies.General\IO\CallServiceHandler.cs:line 94
at Microsoft.WindowsAzure.ApiManagement.Proxy.Gateway.Policies.PipelineWalker.ExecuteAsync(IPipelineContext context, IEnumerable`1 steps, CancellationToken cancellation) in C:\__w\1\s\Proxy\Gateway.Pipeline\PipelineWalker.cs:line 66
at Microsoft.WindowsAzure.ApiManagement.Proxy.Gateway.ChildPipeline.ExecuteAsync(IPipelineContext context, CancellationToken cancellationToken) in C:\__w\1\s\Proxy\Gateway.Pipeline\ChildPipeline.cs:line 35
at Gateway.Pipeline.Extensions.ValueTaskExtensions.Await[T](ValueTask`1 input) in C:\__w\1\s\Proxy\Gateway.Pipeline\Extensions\ValueTaskExtensions.cs:line 28
at Microsoft.WindowsAzure.ApiManagement.Proxy.Gateway.Policies.PipelineWalker.ExecuteAsync(IPipelineContext context, IEnumerable`1 steps, CancellationToken cancellation) in C:\__w\1\s\Proxy\Gateway.Pipeline\PipelineWalker.cs:line 66
at Microsoft.WindowsAzure.ApiManagement.Proxy.Gateway.PipelineExecutor.ExecuteAsync(IPipelineContext context, CancellationToken cancellationToken) in C:\__w\1\s\Proxy\Gateway.Pipeline\PipelineExecutor.cs:line 215, transportError: 0, httpError: 0
[Info] 2026-01-23T07:26:26.678 [GatewayLogs], correlationId: x-x-x-x, isRequestSuccess: false, totalTime: 922, category: "GatewayLogs", callerIpAddress: "x.x.x.x", timeGenerated: 2026-01-23T07:26:26.678, region: "aks", correlationId: "x-x-x-x-x", method: "GET", url: "https://x.x.x.x/xselfca", responseCode: 500, responseSize: 259, cache: "none", backendTime: 920, apiId: "XXXXXXXXXXXXXXXXXXX", operationId: "get-home-page", clientProtocol: "HTTP/1.1", apiRevision: "1", clientTlsVersion: "1.3", backendMethod: "GET", backendUrl: "https://xxx.xxx.com/", lastError: {"elapsed":921,"source":"request-forwarder","path":"forward-request\\forward-request","reason":"BackendConnectionFailure","message":"The remote certificate was rejected by the provided RemoteCertificateValidationCallback.","section":"backend"}, errors: [{"elapsed":921,"source":"request-forwarder","path":"forward-request\\forward-request","reason":"BackendConnectionFailure","message":"The remote certificate was rejected by the provided RemoteCertificateValidationCallback.","section":"backend"}]
[Info] 2026-01-23T07:27:22.895 [InitialDnsNeighborDiscoverySucceeded], message: Successfully resolved IP addresses for DNS name xnewcstest-instance-discovery: 10.244.1.11, source: Neighborhood
参考资料