[英]Vault TLS on Docker - cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs
I'm trying to run TLS on Valut using docker. 我正在尝试使用docker在Valut上运行TLS。 At first generate certificates and run docker container with Vault server mode.
首先生成证书并使用Vault服务器模式运行docker容器。 After that I run
vault init
command that returns error: 之后我运行
vault init
命令返回错误:
Error initializing: Put https://127.0.0.1:8200/v1/sys/init : x509: cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs
初始化错误:放置https://127.0.0.1:8200/v1/sys/init:x509 :无法验证127.0.0.1的证书,因为它不包含任何IP SAN
I could use -tls-skip-verify but is not a solution. 我可以使用-tls-skip-verify但不是解决方案。
I generate certs using openssl.cnf file: 我使用openssl.cnf文件生成证书:
[ ca ]
default_ca = testca
[ testca ]
dir = .
certificate = $dir/cacert.pem
database = $dir/index.txt
new_certs_dir = $dir/certs
private_key = $dir/private/cakey.pem
serial = $dir/serial
default_crl_days = 7
default_days = 365
default_md = sha256
policy = testca_policy
x509_extensions = certificate_extensions
[ testca_policy ]
commonName = supplied
stateOrProvinceName = optional
countryName = optional
emailAddress = optional
organizationName = optional
organizationalUnitName = optional
domainComponent = optional
[ certificate_extensions ]
basicConstraints = CA:false
[ req ]
default_bits = 2048
default_keyfile = ./private/cakey.pem
default_md = sha256
prompt = yes
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions
[ root_ca_distinguished_name ]
commonName = hostname
[ root_ca_extensions ]
basicConstraints = CA:true
keyUsage = keyCertSign, cRLSign
subjectAltName = @alt_names
[ client_ca_extensions ]
basicConstraints = CA:false
keyUsage = digitalSignature,keyEncipherment
extendedKeyUsage = 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2
subjectAltName = @alt_names
[ server_ca_extensions ]
basicConstraints = CA:false
keyUsage = digitalSignature,keyEncipherment
extendedKeyUsage = 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2
subjectAltName = @alt_names
[ alt_names ]
DNS.0 = localhost
DNS.1 = 127.0.0.1
DNS.2 = 0.0.0.0
These commands are used to generate CA cert.pem and key.pem: 这些命令用于生成CA cert.pem和key.pem:
openssl req -x509 -config openssl.cnf -newkey rsa:2048 -days 365 -out cacert.pem -outform PEM -subj /CN=MyTestCA/ -nodes
openssl x509 -in cacert.pem -out cacert.cer -outform DER
To run docker container I use: 要运行docker容器,我使用:
docker run --cap-add=IPC_LOCK -e 'VAULT_LOCAL_CONFIG={"listener":[{"tcp":{"address":"127.0.0.1:8200", "tls_cert_file":"/vault/ca/cacert.pem", "tls_key_file":"/vault/ca/private/cakey.pem"}}], "backend": {"file": {"path": "/vault/file"}}, "default_lease_ttl": "168h", "max_lease_ttl": "720h"}' -p8201:8200 --name vault-server -v/tmp/vault-conf/ca-keys:/vault/ca vault server
Docker mounts folder with certificates which are used in Vault conf file. Docker使用Vault conf文件中使用的证书安装文件夹。
There are docker logs: 有泊坞日志:
This usually means that the mlock syscall is not available.
Vault uses mlock to prevent memory from being swapped to
disk. This requires root privileges as well as a machine
that supports mlock. Please enable mlock on your system or
disable Vault from using it. To disable Vault from using it,
set the `disable_mlock` configuration option in your configuration
file.
==> Vault server configuration:
Cgo: disabled
Listener 1: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", tls: "enabled")
Log Level: info
Mlock: supported: true, enabled: true
Storage: file
Version: Vault v0.9.6
Version Sha: 7e1fbde40afee241f81ef08700e7987d86fc7242
==> Vault server started! Log data will stream in below:
Now after exec command vault init
inside docker container it returns above error. 现在在docker容器内的exec命令
vault init
之后它返回上面的错误。
Generated cacert.pem file does contains 127.0.0.1 IP address in SAN. 生成的cacert.pem文件在SAN中包含127.0.0.1 IP地址。
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
X509v3 Subject Alternative Name:
DNS:localhost, DNS:127.0.0.1, DNS:0.0.0.0
Where I make a mistake? 哪里弄错了?
Looks like you'd just update the DNS section to: 您似乎只是将DNS部分更新为:
[ alt_names ]
DNS.0 = localhost
IP.1 = 127.0.0.1
IP.2 = 0.0.0.0
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.