[英]Cannot validate certificate for ip because it doesn't contain any IP SANs
[英]Vault TLS on Docker - cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs
我正在嘗試使用docker在Valut上運行TLS。 首先生成證書並使用Vault服務器模式運行docker容器。 之后我運行vault init
命令返回錯誤:
初始化錯誤:放置https://127.0.0.1:8200/v1/sys/init:x509 :無法驗證127.0.0.1的證書,因為它不包含任何IP SAN
我可以使用-tls-skip-verify但不是解決方案。
我使用openssl.cnf文件生成證書:
[ ca ]
default_ca = testca
[ testca ]
dir = .
certificate = $dir/cacert.pem
database = $dir/index.txt
new_certs_dir = $dir/certs
private_key = $dir/private/cakey.pem
serial = $dir/serial
default_crl_days = 7
default_days = 365
default_md = sha256
policy = testca_policy
x509_extensions = certificate_extensions
[ testca_policy ]
commonName = supplied
stateOrProvinceName = optional
countryName = optional
emailAddress = optional
organizationName = optional
organizationalUnitName = optional
domainComponent = optional
[ certificate_extensions ]
basicConstraints = CA:false
[ req ]
default_bits = 2048
default_keyfile = ./private/cakey.pem
default_md = sha256
prompt = yes
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions
[ root_ca_distinguished_name ]
commonName = hostname
[ root_ca_extensions ]
basicConstraints = CA:true
keyUsage = keyCertSign, cRLSign
subjectAltName = @alt_names
[ client_ca_extensions ]
basicConstraints = CA:false
keyUsage = digitalSignature,keyEncipherment
extendedKeyUsage = 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2
subjectAltName = @alt_names
[ server_ca_extensions ]
basicConstraints = CA:false
keyUsage = digitalSignature,keyEncipherment
extendedKeyUsage = 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2
subjectAltName = @alt_names
[ alt_names ]
DNS.0 = localhost
DNS.1 = 127.0.0.1
DNS.2 = 0.0.0.0
這些命令用於生成CA cert.pem和key.pem:
openssl req -x509 -config openssl.cnf -newkey rsa:2048 -days 365 -out cacert.pem -outform PEM -subj /CN=MyTestCA/ -nodes
openssl x509 -in cacert.pem -out cacert.cer -outform DER
要運行docker容器,我使用:
docker run --cap-add=IPC_LOCK -e 'VAULT_LOCAL_CONFIG={"listener":[{"tcp":{"address":"127.0.0.1:8200", "tls_cert_file":"/vault/ca/cacert.pem", "tls_key_file":"/vault/ca/private/cakey.pem"}}], "backend": {"file": {"path": "/vault/file"}}, "default_lease_ttl": "168h", "max_lease_ttl": "720h"}' -p8201:8200 --name vault-server -v/tmp/vault-conf/ca-keys:/vault/ca vault server
Docker使用Vault conf文件中使用的證書安裝文件夾。
有泊塢日志:
This usually means that the mlock syscall is not available.
Vault uses mlock to prevent memory from being swapped to
disk. This requires root privileges as well as a machine
that supports mlock. Please enable mlock on your system or
disable Vault from using it. To disable Vault from using it,
set the `disable_mlock` configuration option in your configuration
file.
==> Vault server configuration:
Cgo: disabled
Listener 1: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", tls: "enabled")
Log Level: info
Mlock: supported: true, enabled: true
Storage: file
Version: Vault v0.9.6
Version Sha: 7e1fbde40afee241f81ef08700e7987d86fc7242
==> Vault server started! Log data will stream in below:
現在在docker容器內的exec命令vault init
之后它返回上面的錯誤。
生成的cacert.pem文件在SAN中包含127.0.0.1 IP地址。
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
X509v3 Subject Alternative Name:
DNS:localhost, DNS:127.0.0.1, DNS:0.0.0.0
哪里弄錯了?
您似乎只是將DNS部分更新為:
[ alt_names ]
DNS.0 = localhost
IP.1 = 127.0.0.1
IP.2 = 0.0.0.0
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.