堆栈内存溢出
  简体   繁体   English

Docker上的Vault TLS - 无法验证127.0.0.1的证书,因为它不包含任何IP SAN

[英]Vault TLS on Docker - cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs

 原文  2018-04-12 09:17:32       docker/ ssl/ openssl

问题描述

I'm trying to run TLS on Valut using docker. 我正在尝试使用docker在Valut上运行TLS。 At first generate certificates and run docker container with Vault server mode. 首先生成证书并使用Vault服务器模式运行docker容器。 After that I run vault init command that returns error: 之后我运行vault init命令返回错误:

Error initializing: Put https://127.0.0.1:8200/v1/sys/init : x509: cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs 初始化错误:放置https://127.0.0.1:8200/v1/sys/init:x509 :无法验证127.0.0.1的证书,因为它不包含任何IP SAN

I could use -tls-skip-verify but is not a solution. 我可以使用-tls-skip-verify但不是解决方案。

I generate certs using openssl.cnf file: 我使用openssl.cnf文件生成证书: 

[ ca ]
default_ca = testca

[ testca ]
dir = .
certificate = $dir/cacert.pem
database = $dir/index.txt
new_certs_dir = $dir/certs
private_key = $dir/private/cakey.pem
serial = $dir/serial

default_crl_days = 7
default_days = 365
default_md = sha256

policy = testca_policy
x509_extensions = certificate_extensions

[ testca_policy ]
commonName = supplied
stateOrProvinceName = optional
countryName = optional
emailAddress = optional
organizationName = optional
organizationalUnitName = optional
domainComponent = optional

[ certificate_extensions ]
basicConstraints = CA:false

[ req ]
default_bits = 2048
default_keyfile = ./private/cakey.pem
default_md = sha256
prompt = yes
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions

[ root_ca_distinguished_name ]
commonName = hostname

[ root_ca_extensions ]
basicConstraints = CA:true
keyUsage = keyCertSign, cRLSign
subjectAltName = @alt_names

[ client_ca_extensions ]
basicConstraints = CA:false
keyUsage = digitalSignature,keyEncipherment
extendedKeyUsage = 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2
subjectAltName = @alt_names

[ server_ca_extensions ]
basicConstraints = CA:false
keyUsage = digitalSignature,keyEncipherment
extendedKeyUsage = 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2
subjectAltName = @alt_names

[ alt_names ]
DNS.0 = localhost
DNS.1 = 127.0.0.1
DNS.2 = 0.0.0.0

These commands are used to generate CA cert.pem and key.pem: 这些命令用于生成CA cert.pem和key.pem: 

openssl req -x509 -config openssl.cnf -newkey rsa:2048 -days 365 -out cacert.pem -outform PEM -subj /CN=MyTestCA/ -nodes

openssl x509 -in cacert.pem -out cacert.cer -outform DER

To run docker container I use: 要运行docker容器,我使用: 

docker run --cap-add=IPC_LOCK -e 'VAULT_LOCAL_CONFIG={"listener":[{"tcp":{"address":"127.0.0.1:8200", "tls_cert_file":"/vault/ca/cacert.pem", "tls_key_file":"/vault/ca/private/cakey.pem"}}], "backend": {"file": {"path": "/vault/file"}}, "default_lease_ttl": "168h", "max_lease_ttl": "720h"}' -p8201:8200 --name vault-server -v/tmp/vault-conf/ca-keys:/vault/ca vault server

Docker mounts folder with certificates which are used in Vault conf file. Docker使用Vault conf文件中使用的证书安装文件夹。

There are docker logs: 有泊坞日志: 

This usually means that the mlock syscall is not available.
Vault uses mlock to prevent memory from being swapped to
disk. This requires root privileges as well as a machine
that supports mlock. Please enable mlock on your system or
disable Vault from using it. To disable Vault from using it,
set the `disable_mlock` configuration option in your configuration
file.
==> Vault server configuration:

                     Cgo: disabled
              Listener 1: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", tls: "enabled")
               Log Level: info
                   Mlock: supported: true, enabled: true
                 Storage: file
                 Version: Vault v0.9.6
             Version Sha: 7e1fbde40afee241f81ef08700e7987d86fc7242

==> Vault server started! Log data will stream in below:

Now after exec command vault init inside docker container it returns above error. 现在在docker容器内的exec命令vault init之后它返回上面的错误。

Generated cacert.pem file does contains 127.0.0.1 IP address in SAN. 生成的cacert.pem文件在SAN中包含127.0.0.1 IP地址。 

X509v3 extensions:
        X509v3 Basic Constraints:
            CA:TRUE
        X509v3 Key Usage:
            Certificate Sign, CRL Sign
        X509v3 Subject Alternative Name:
            DNS:localhost, DNS:127.0.0.1, DNS:0.0.0.0

Where I make a mistake? 哪里弄错了?

1 个解决方案

解决方案1
 1  2018-04-28 08:02:21

Looks like you'd just update the DNS section to: 您似乎只是将DNS部分更新为: 

[ alt_names ]
DNS.0 = localhost
IP.1 = 127.0.0.1
IP.2 = 0.0.0.0

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 无法验证ip的证书,因为它不包含任何IP SAN - Cannot validate certificate for ip because it doesn't contain any IP SANs 无法验证证书<ip-address>因为它不包含任何 IP SAN - cannot validate certificate for <ip-address> because it doesn't contain any IP SANs x509:无法验证 &lt;<HOST IP> &gt; 因为它不包含任何 IP SAN - Hyperledger Fabric-CA - x509: cannot validate certificate for <<HOST IP>> because it doesn't contain any IP SANs - Hyperledger Fabric-CA MinIO + Docker - 不能使用新版本的 SSL 证书(x509 不包含任何 IP sans) - MinIO + Docker - cannot use SSL certificate with new version (x509 doesn't contain any IP sans) 我的本地 API 127.0.0.1:8000 不适用于 docker - My local API 127.0.0.1:8000 doesn't work with docker Ubuntu docker映像不包含任何/ dev / sdX块设备? - Ubuntu docker image doesn't contain any /dev/sdX block devices? 将Docker注册表与不带IP SAN的SSL证书一起使用 - Use Docker registry with SSL certifictae without IP SANs 如何使用重定向 127.0.0.1 到 docker 机器 IP - How to use a redirect 127.0.0.1 to docker machine IP 无法使用127.0.0.1连接mysql服务器docker容器,但可以使用IP? - Can't use 127.0.0.1 to connect mysql server docker container, but can use IP? 无法通过AWS身份验证连接到Docker容器中的Hashicorp Vault-X509证书错误 - Can't connect to Hashicorp Vault in Docker container with AWS authentication- x509 certificate error
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM