堆栈内存溢出
  简体   繁体   English

x509:无法验证 &lt;<HOST IP> &gt; 因为它不包含任何 IP SAN - Hyperledger Fabric-CA

[英]x509: cannot validate certificate for <<HOST IP>> because it doesn't contain any IP SANs - Hyperledger Fabric-CA

 原文  2018-11-01 21:15:35       docker/ ssl/ openssl/ hyperledger-fabric/ tls1.2

问题描述

I'm trying to enroll an intermediate certificate authority with its root certificate authority, I'm using TLS and the CAs run in separated docker containers using the fabric-ca images.我正在尝试为其根证书颁发机构注册一个中间证书颁发机构,我正在使用 TLS,并且 CA 使用 fabric-ca 图像在单独的 docker 容器中运行。 If I send the CSR trough the docker network there are no problems, but if I try to send it trough my local network I have this problem: x509: cannot validate certificate for "HOST_IP" because it doesn't contain any IP SANs.如果我通过 docker 网络发送 CSR 没有问题,但是如果我尝试通过本地网络发送它,我会遇到这个问题:x509:无法验证“HOST_IP”的证书,因为它不包含任何 IP SAN。 I read that the reason for my problem, is that the TLS certificate(s) don't contain IP SANs (IP subject alternative names), this is a field in the TLS certificate that basically says: "The certificate was issued to a host that its IP is: <1.2.3.4>".我读到我的问题的原因是 TLS 证书不包含 IP SAN(IP 主题备用名称),这是 TLS 证书中的一个字段,基本上说:“证书已颁发给主机它的 IP 是:<1.2.3.4>”。 So, if that is the problem, how I could add this field to my certificate?那么,如果这是问题所在,我如何将此字段添加到我的证书中? and if not, what is the problem and how I could resolve it?如果没有,问题是什么,我该如何解决? Thanks and regards!感谢致敬!

1 个解决方案

解决方案1
 0  2020-01-13 06:16:07

You can follow the explanation given here with a similar IP SANS issue.您可以按照此处给出的解释处理类似的 IP SANS 问题。 There is also detailed explanation of IP SANS issue in HLF mailing List . HLF邮件列表中也有对 IP SANS 问题的详细说明。 Also make sure when you are using Fabric CA Client, to generate the certificates, use the server's hostname to request the same.还要确保在使用 Fabric CA 客户端时,要生成证书,请使用服务器的主机名来请求相同的证书。 for eg fabric-ca-client enroll -d --enrollment.profile tls -c <client configuration file> -u https://admin:adminpw@<server hostname>:7054 --csr.hosts $PEER_HOST .例如, fabric-ca-client enroll -d --enrollment.profile tls -c <client configuration file> -u https://admin:adminpw@<server hostname>:7054 --csr.hosts $PEER_HOST If IP address is given in URL TLS handshake will fail with bad TLS certificate error on the server side and 'certificate does not contain IP SANS' error on the client side as the ca-cert.pem used to perform the handshake with the server contains hostname and not the IP address.如果在 URL 中给出 IP 地址,TLS 握手将失败,服务器端出现错误的bad TLS certificate错误,客户端出现“证书不包含 IP SANS”错误,因为用于与服务器执行握手的 ca-cert.pem 包含主机名而不是 IP 地址。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 MinIO + Docker - 不能使用新版本的 SSL 证书(x509 不包含任何 IP sans) - MinIO + Docker - cannot use SSL certificate with new version (x509 doesn't contain any IP sans) 无法验证证书<ip-address>因为它不包含任何 IP SAN - cannot validate certificate for <ip-address> because it doesn't contain any IP SANs 无法验证ip的证书,因为它不包含任何IP SAN - Cannot validate certificate for ip because it doesn't contain any IP SANs Docker上的Vault TLS - 无法验证127.0.0.1的证书,因为它不包含任何IP SAN - Vault TLS on Docker - cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs Winlogbeat 设置错误:x509 证书适用于<ip> , 不是<same ip></same></ip> - Winlogbeat setup error: x509 certificate is valid for <ip>, not <same ip> Traefik https后端通信导致x509:证书对127.0.0.1有效<Container IP> - Traefik https backend communication causes x509: certificate is valid for 127.0.0.1 not <Container IP> Nexus私有docker pull image with x509:无法验证证书错误 - Nexus private docker pull image failing with x509: cannot validate certificate error 简单的docker命令不起作用:x509:无法验证证书 - Simple docker command does not work: x509: cannot validate certificate Docker-Hyperledger / fabric-ca中的GO_TAGS是什么? - What is GO_TAGS in Docker - Hyperledger/fabric-ca? 错误:未找到hyperledger / fabric-ca:的清单 - ERROR: manifest for hyperledger/fabric-ca:latest not found
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM