locked
httpwebrequest, set host, ssl error

    Domanda

  • Hello,

    I have a number of servers that all use the same URL behind a loadbalancer and I wanted to use httpwebrequest to poll each server to see if it was rendering content. So there is one URL, i.e. https://mysite.com/myfile.xml and i wanted to use the Host value of httpwebrequest to specify an IP address, i.e. IP of Server1, IP of Server2, IP of Server3 in rotation and check each server was returning the information

    $wc=[system.net.httpwebrequest]::create("https://mysite.com/myfile.xml")
    $wc.host = "127.0.0.1"
    $resp = $wc.getresponse()

    This fails with :

    Exception calling "GetResponse" with "0" argument(s): "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."
    At line:1 char:24
    + $resp = $wc.getresponse <<<< ()
        + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
        + FullyQualifiedErrorId : DotNetMethodException

    If I don't set the Host value and rely on the OS Hosts file to target each server, it works as expected so the certificate itself is trusted and valid, just trying to go to a specific IP as part of httpwebrequest doesn't work.

    Is there another way to test this short of setting an OS hosts file entry, test, change hosts file, test, etc....

    Thank you,

    Dominic

    lunedì 5 marzo 2012 23:31

Tutte le risposte

  • I am not sure but suspect this to be the problem:  From this site: http://msdn.microsoft.com/en-us/library/system.net.httpwebrequest.host.aspx

    The Host property can be used to set the Host header value to use in an HTTP request independent from the request URI. The Host property can consist of a hostname and an optional port number. A Host header without port information implies the default port for the service requested (port 80 for an HTTP URL, for example).

    The format for specifying a host and port must follow the rules in section 14.23 of RFC2616 published by the IETF. An example complying with these requirements that specifies a port of 8080 would be the following value for the Host property:

    www.contoso.com:8080

    Using the Host property to explicitly specify a custom Host header value also affects areas caching, cookies, and authentication. When an application provides credentials for a specific URI prefix, the applications needs to make sure to use the URI containing the value of the Host header, not the target server in the URI. The key used when caching resources, uses the Host header value rather than the request URI. Cookies are stored in a CookieContainer and logically grouped by the server domain name. If the application specifies a Host header, then this value will be used as domain.

    If the Host property is not set, then the Host header value to use in an HTTP request is based on the request URI.

    For one thing HTTPS normally doesn't use port 80, rather it's something else right?  I am weak on X509 so can't speak for authentication parameters.  You could try running a wireshark trace to see it happening too.


    JP Cowboy Coders Unite!

    mercoledì 7 marzo 2012 00:39
  • Actually, setting HOST http header has nothing to do with testing load balancer, so use it to test "won't work".

    For why the authentication error occurs, it's the reason Mr. Javaman II quotes: The server check the HOST header and see it doesn't match what the TCP socket said, and think it's an attempt to temper with the certificate identification, so it simply reject the connection.

    The correct way is to modify the hosts file. Alternatively, if the e-certificate you applied for is for the domain level, you can set web1.mysite.com, web2.mysite.com, web3.mysite.com pointing to those servers to test with. If there's local nameserver role enabled, you can use WMI to manipulate the DNS record. There's a few choices for you to choose from.



    mercoledì 7 marzo 2012 06:30
  • Cheong00;

      Makes sense...


    JP Cowboy Coders Unite!

    mercoledì 7 marzo 2012 13:58
  • Ah okay. Thank you. I thought that was the whole point of the Host entry to go to a particular IP like you do with a Hosts file entry.

    Will have to go the Hosts file route i suppose.

    Cheers.

    mercoledì 7 marzo 2012 19:39