上節(etcd在docker中使用)etcd已經可以正常使用,這節講講如何開啟htpps

1 生成簽名

1.1 下載 cfssl

mkdir ~/bin
curl -s -L -o ~/bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
curl -s -L -o ~/bin/cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
chmod +x ~/bin/{cfssl,cfssljson}
export PATH=$PATH:~/bin

需要注意的是,這裡是以linux的64位為例,如果你是其他系統,請修改成對應系統的cfssl包

1.2 初始化證書

使用cfssl模板生成ca-config.json,ca-csr.json

mkdir ~/cfssl
cd ~/cfssl
cfssl print-defaults config > ca-config.json
cfssl print-defaults csr > ca-csr.json

1.3 證書介紹

• 客戶端證書(client certificate):用於伺服器對客戶端進行身份驗證.例如 etcdctl, etcd proxy, docker 等客戶端.
• 伺服器證書(server certificate):伺服器端使用,用於客戶端驗證伺服器身份.例如 docker
  伺服器, kube-apiserver
• 對等證書(peer certificate):用於etcd叢集間的雙向通訊

1.4 配置 CA 選項

現在我在 ca-config.json 配置檔案中配置簽名選項,預設設定中已經有了如下配置項:

• profiles: :www與伺服器認證(TLS Web伺服器認證)X509 V3擴充套件和客戶端與客戶端認證(TLS Web客戶端認證)X509 V3擴充套件
• expiry: 有效期,預設值為8760h

接下來將www改為名為server,expiry 改為 43800 h ca-config.json 修改後內容如下:

{
    "signing": {
        "default": {
            "expiry": "43800h"
        },
        "profiles": {
            "server": {
                "expiry": "43800h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth"
                ]
            },
            "client": {
                "expiry": "43800h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "client auth"
                ]
            }
        }
    }
}

你也可以修改 ca-csr.json json證書籤名請求

{
    "CN": "My own CA",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "US",
            "L": "CA",
            "O": "My Company Name",
            "ST": "San Francisco",
            "OU": "Org Unit 1",
            "OU": "Org Unit 2"
        }
    ]
}

使用定義好的簽名生成 CA 證書

cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

將會生成如下檔案:

ca-key.pem
ca.csr
ca.pem

1.5 生成伺服器證書

cfssl print-defaults csr > server.json

得到server.json檔案, 更改 Common Name(CN) 和 hosts值如下:

  "CN": "coreos1",
    "hosts": [
        "192.168.3.3",//替換成你自己的伺服器地址或者域名
        "ext.example.com",
        "coreos1.local",
        "coreos1"
    ],

接下來生成伺服器證書和私鑰

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server server.json | cfssljson -bare server

生成檔案如下:

server-key.pem
server.csr
server.pem

2 啟動etcd服務

docker run -v /root/cfssl:/root/cfssl -p 2379:2379 \
 --name etcd etcd /usr/local/bin/etcd \
 -name etcd0 \
 --cert-file=/root/cfssl/server.pem --key-file=/root/cfssl/server-key.pem \
 -advertise-client-urls https://192.168.3.3:2379 \
 -listen-client-urls https://0.0.0.0:2379

3 驗證請求是否正確

3.1 不帶證書請求

curl https://192.168.3.3:2379/v2/keys/foo -XPUT -d value=bar -v

輸出錯誤如下:

客戶端錯誤:
* About to connect() to 192.168.3.3 port 2379 (#0)
*   Trying 192.168.3.3...
* Connected to 192.168.3.3 (192.168.3.3) port 2379 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Server certificate:
* 	subject: CN=example.net,L=CA,ST=San Francisco,C=US
* 	start date: Nov 21 06:40:00 2018 GMT
* 	expire date: Nov 21 06:40:00 2019 GMT
* 	common name: example.net
* 	issuer: CN=example.net,L=CA,ST=San Francisco,C=US
* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peer's Certificate issuer is not recognized.
* Closing connection 0
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
 
 
 
 
服務端:
rejected connection from "192.168.3.3:46692" (error "remote error: tls: unknown certificate authority", ServerName "")

3.2 帶證書請求

curl --cacert /root/cfssl/ca.pem https://192.168.3.3:2379/v2/keys/foo -XPUT -d value=bar -v

請求結果如下:

> PUT /v2/keys/foo HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 192.168.3.3:2379
> Accept: */*
> Content-Length: 9
> Content-Type: application/x-www-form-urlencoded
> 
* upload completely sent off: 9 out of 9 bytes
< HTTP/1.1 200 OK
< Content-Type: application/json
< X-Etcd-Cluster-Id: cdf818194e3a8c32
< X-Etcd-Index: 5
< X-Raft-Index: 6
< X-Raft-Term: 2
< Date: Wed, 21 Nov 2018 06:49:58 GMT
< Content-Length: 163
< 
{"action":"set","node":{"key":"/foo","value":"bar","modifiedIndex":5,"createdIndex":5},"prevNode":{"key":"/foo","value":"bar","modifiedIndex":4,"createdIndex":4}}
* Connection #0 to host 192.168.3.3 left intact

配置HTTPS成功

參考文章

security
generate-self-signed-certificates

原文連線:http://www.artacode.com/posts/etcd/enable-https/