问题描述

在先前的四篇博文

我们分别介绍了使用OpenSSL生成自签名证书，然后解决APIM服务对自签名证书的信任问题。不论是APIM托管的网关，还是自建的网关都可以通过安装证书后使得请求受信任，通过配置API跳过证书验证环节。

本文这从“自建网关本身AKS POD” 方面入手，通过配置 SSL_CERT_FILE 环境变量，来安装自签名证书（根证书和中间证书）到POD中。

经过AI大模型解答，在 AKS (Azure Kubernetes Service) 中访问使用自签名证书的 API，关键在于让客户端信任该证书，主要的思路是：

创建包含 CA 证书的 Secret
将自签名的 CA 证书文件 (例如 ca.crt) 导入到 AKS 集群
在应用部署的 YAML 文件中，将该 Secret 挂载到容器内，并设置 SSL_CERT_FILE 环境变量指向该证书

操作步骤

第一步：准备好中间证书和根证书合并一起的 .crt 内容

导出方法：通过浏览器导出中间证书+根证书的 crt 文件，其内容是 Base64 编码

第二步：创建Kubernetes Secret

将自签名的 CA 证书文件 (例如 my-inetr-ca.crt) 导入到 AKS 集群中：

命令：

kubectl create secret generic self-signed-ca --from-file="<the full path of my-inetr-ca.crt>"

结果：

第三步：在APIM的自建网关Pod中挂载证书

在应用部署的 YAML 文件中，将该 Secret 挂载到容器内，并设置 SSL_CERT_FILE 环境变量指向该证书

...
        volumeMounts:
        - name: ca-volume
          mountPath: /etc/ssl/certs/my-ca.crt
          subPath: my-inetr-ca.crt
        env:
        - name: SSL_CERT_FILE
          value: /etc/ssl/certs/my-ca.crt
  ... 
      volumes:
      - name: ca-volume
        secret:
          secretName: self-signed-ca
...

把从APIM获取的部署yaml内容，只修改如图中的三个位置，即可。

第四步：部署以上配置，后访问AKS Service External URL进行测试验证

# 部署

kubectl apply -f "<apim self-hosted gateway yaml file>"

#获取对外暴露的IP地址

kubectl get services

##测试访问自建网关中的API

curl https://<external ip>/api -k

测试结果，成功通过证书验证及获取正确的结果：

如果没有配置SSL_CERT_FILE 及挂载证书，就会遇见500 Internal server error。如果进一步通过 kubectl logs <pod name> 查看GatewayLogs日志，就会发现详细错误：The remote certificate was rejected by the provided RemoteCertificateValidationCallback.

详细错误

[Info] 2026-01-23T07:26:27.251 [DnsResolutionScheduled], message: xselfca02.myxxxxx.com, source: RoundRobinNameResolver

[Info] 2026-01-23T07:26:27.252 [OutgoingTlsProtocolsSet], message: Tls, Tls11, Tls12, source: TcpChannelFactory

[Info] 2026-01-23T07:26:27.598 [CertificateInfoVerificationScheduled], message: thumbprint: 62BF1CFA2116828E3F0B3C7D8FB4C380CD2CE358, subjectName: CN=*.myxxxxx.com, O=My Self Server Org, S=Chongqing, C=CN (CRL URLs: ; AIA URLs: )

[Warn] 2026-01-23T07:26:27.601 [FailedToProcessRequest], ActivityId: d5d383dc-c395-4111-8558-2193f9bbb8ff, correlationId: d5d383dc-c395-4111-8558-2193f9bbb8ff, apiId: 69303f7730caebcf2a534309, operationId: get-home-page, tags: 20, httpMethod: GET, source: request-forwarder, serviceName: apim-gateway, exception: System.Security.Authentication.AuthenticationException: The remote certificate was rejected by the provided RemoteCertificateValidationCallback.

at System.Net.Security.SslStream.SendAuthResetSignal(ReadOnlySpan`1 alert, ExceptionDispatchInfo exception)

at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions)

at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken)

at Gateway.Http.Client.DotNetty.TcpChannelFactory.CreateChannelAsync(IPEndPoint endpoint, RequestedApplicationProtocol requestedApplicationProtocol, TlsInfo tlsMetadata, HttpProxy httpProxyMetadata, Int32 destinationPort, CancellationToken cancellationToken) in C:\__w\1\s\Proxy\Gateway.Http.Client.DotNetty\TcpChannelFactory.cs:line 116

at Gateway.Http.Client.DotNetty.EndpointPool.CreateAsyncInternal(IPipelineContext pipelineContext, ChannelPoolKey channelPoolKey, RequestedApplicationProtocol requestedApplicationProtocol, CancellationToken cancellationToken, GateInfo gateInfo) in C:\__w\1\s\Proxy\Gateway.Http.Client.DotNetty\EndpointPool.cs:line 307

at Gateway.Http.Client.DotNetty.EndpointPool.CreateAsync(IPipelineContext pipelineContext, ChannelPoolKey channelPoolKey, RequestedApplicationProtocol requestedApplicationProtocol, CancellationToken cancellationToken) in C:\__w\1\s\Proxy\Gateway.Http.Client.DotNetty\EndpointPool.cs:line 128

at Gateway.Http.Client.DotNetty.SingleThreadedBackendChannelPool.AcquireAsync(IPipelineContext context, CancellationToken cancellationToken) in C:\__w\1\s\Proxy\Gateway.Http.Client.DotNetty\SingleThreadedBackendChannelPool.cs:line 189

at Gateway.Http.Client.DotNetty.RoundRobinBackendChannelPool.Acquire0(Object state) in C:\__w\1\s\Proxy\Gateway.Http.Client.DotNetty\RoundRobinBackendChannelPool.cs:line 73

at Gateway.Http.Client.DotNetty.DotNettyHttpBackend.AcquireChannelAsync(IPipelineContext ctx, CancellationToken cancellationToken) in C:\__w\1\s\Proxy\Gateway.Http.Client.DotNetty\DotNettyHttpBackend.cs:line 791

at Gateway.Http.Client.DotNetty.DotNettyHttpBackend.ProcessAsync(IPipelineContext context, CancellationToken cancellation) in C:\__w\1\s\Proxy\Gateway.Http.Client.DotNetty\DotNettyHttpBackend.cs:line 172

at Microsoft.WindowsAzure.ApiManagement.Proxy.Gateway.Policies.PipelineWalker.ExecuteAsync(IPipelineContext context, IEnumerable`1 steps, CancellationToken cancellation) in C:\__w\1\s\Proxy\Gateway.Pipeline\PipelineWalker.cs:line 66

at Microsoft.WindowsAzure.ApiManagement.Proxy.Gateway.ChildPipeline.ExecuteAsync(IPipelineContext context, CancellationToken cancellationToken) in C:\__w\1\s\Proxy\Gateway.Pipeline\ChildPipeline.cs:line 35

at Gateway.Pipeline.Extensions.ValueTaskExtensions.Await[T](ValueTask`1 input) in C:\__w\1\s\Proxy\Gateway.Pipeline\Extensions\ValueTaskExtensions.cs:line 28

at Microsoft.WindowsAzure.ApiManagement.Proxy.Gateway.Policies.IO.CallServiceHandler.ProcessAsync(IPipelineContext context, CancellationToken cancellation) in C:\__w\1\s\Proxy\Gateway.Policies.General\IO\CallServiceHandler.cs:line 94

at Gateway.Http.Client.DotNetty.RoundRobinBackendChannelPool.Acquire0(Object state) in C:\__w\1\s\Proxy\Gateway.Http.Client.DotNetty\RoundRobinBackendChannelPool.cs:line 73

at Gateway.Pipeline.Extensions.ValueTaskExtensions.Await[T](ValueTask`1 input) in C:\__w\1\s\Proxy\Gateway.Pipeline\Extensions\ValueTaskExtensions.cs:line 28

at Microsoft.WindowsAzure.ApiManagement.Proxy.Gateway.PipelineExecutor.ExecuteAsync(IPipelineContext context, CancellationToken cancellationToken) in C:\__w\1\s\Proxy\Gateway.Pipeline\PipelineExecutor.cs:line 215, transportError: 0, httpError: 0

[Info] 2026-01-23T07:26:26.678 [GatewayLogs], correlationId: x-x-x-x, isRequestSuccess: false, totalTime: 922, category: "GatewayLogs", callerIpAddress: "x.x.x.x", timeGenerated: 2026-01-23T07:26:26.678, region: "aks", correlationId: "x-x-x-x-x", method: "GET", url: "https://x.x.x.x/xselfca", responseCode: 500, responseSize: 259, cache: "none", backendTime: 920, apiId: "XXXXXXXXXXXXXXXXXXX", operationId: "get-home-page", clientProtocol: "HTTP/1.1", apiRevision: "1", clientTlsVersion: "1.3", backendMethod: "GET", backendUrl: "https://xxx.xxx.com/", lastError: {"elapsed":921,"source":"request-forwarder","path":"forward-request\\forward-request","reason":"BackendConnectionFailure","message":"The remote certificate was rejected by the provided RemoteCertificateValidationCallback.","section":"backend"}, errors: [{"elapsed":921,"source":"request-forwarder","path":"forward-request\\forward-request","reason":"BackendConnectionFailure","message":"The remote certificate was rejected by the provided RemoteCertificateValidationCallback.","section":"backend"}]

[Info] 2026-01-23T07:27:22.895 [InitialDnsNeighborDiscoverySucceeded], message: Successfully resolved IP addresses for DNS name xnewcstest-instance-discovery: 10.244.1.11, source: Neighborhood

参考资料

Use custom certificate authorities (CAs) in Azure Kubernetes Service (AKS) : https://learn.microsoft.com/en-us/azure/aks/custom-certificate-authority

当在复杂的环境中面临问题，格物之道需：浊而静之徐清，安以动之徐生。云中，恰是如此!

【Azure APIM】APIM的自建网关如何解决自签名证书的受信任问题呢？(方案三)