etcd開啟https
阿新 • • 發佈:2018-11-25
上節(etcd在docker中使用)etcd已經可以正常使用,這節講講如何開啟htpps
1 生成簽名
1.1 下載 cfssl
mkdir ~/bin
curl -s -L -o ~/bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
curl -s -L -o ~/bin/cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
chmod +x ~/bin/{cfssl,cfssljson}
export PATH=$PATH:~/bin
需要注意的是,這裡是以linux的64位為例,如果你是其他系統,請修改成對應系統的cfssl包
1.2 初始化證書
使用cfssl
模板生成ca-config.json
,ca-csr.json
mkdir ~/cfssl
cd ~/cfssl
cfssl print-defaults config > ca-config.json
cfssl print-defaults csr > ca-csr.json
1.3 證書介紹
- 客戶端證書(client certificate):用於伺服器對客戶端進行身份驗證.例如
etcdctl
,etcd proxy
,docker
等客戶端. - 伺服器證書(server certificate):伺服器端使用,用於客戶端驗證伺服器身份.例如
docker
kube-apiserver
- 對等證書(peer certificate):用於etcd叢集間的雙向通訊
1.4 配置 CA 選項
現在我在 ca-config.json
配置檔案中配置簽名選項,預設設定中已經有了如下配置項:
- profiles: :www與伺服器認證(TLS Web伺服器認證)X509 V3擴充套件和客戶端與客戶端認證(TLS Web客戶端認證)X509 V3擴充套件
- expiry: 有效期,預設值為8760h
接下來將www
改為名為server,expiry
改為 43800 h ca-config.json
修改後內容如下:
{
"signing": {
"default": {
"expiry": "43800h"
},
"profiles": {
"server": {
"expiry": "43800h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": {
"expiry": "43800h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
}
}
}
}
你也可以修改 ca-csr.json
json證書籤名請求
{
"CN": "My own CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "CA",
"O": "My Company Name",
"ST": "San Francisco",
"OU": "Org Unit 1",
"OU": "Org Unit 2"
}
]
}
使用定義好的簽名生成 CA 證書
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
將會生成如下檔案:
ca-key.pem
ca.csr
ca.pem
1.5 生成伺服器證書
cfssl print-defaults csr > server.json
得到server.json
檔案, 更改 Common Name(CN)
和 hosts
值如下:
"CN": "coreos1",
"hosts": [
"192.168.3.3",//替換成你自己的伺服器地址或者域名
"ext.example.com",
"coreos1.local",
"coreos1"
],
接下來生成伺服器證書和私鑰
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server server.json | cfssljson -bare server
生成檔案如下:
server-key.pem
server.csr
server.pem
2 啟動etcd服務
docker run -v /root/cfssl:/root/cfssl -p 2379:2379 \
--name etcd etcd /usr/local/bin/etcd \
-name etcd0 \
--cert-file=/root/cfssl/server.pem --key-file=/root/cfssl/server-key.pem \
-advertise-client-urls https://192.168.3.3:2379 \
-listen-client-urls https://0.0.0.0:2379
3 驗證請求是否正確
3.1 不帶證書請求
curl https://192.168.3.3:2379/v2/keys/foo -XPUT -d value=bar -v
輸出錯誤如下:
客戶端錯誤:
* About to connect() to 192.168.3.3 port 2379 (#0)
* Trying 192.168.3.3...
* Connected to 192.168.3.3 (192.168.3.3) port 2379 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* Server certificate:
* subject: CN=example.net,L=CA,ST=San Francisco,C=US
* start date: Nov 21 06:40:00 2018 GMT
* expire date: Nov 21 06:40:00 2019 GMT
* common name: example.net
* issuer: CN=example.net,L=CA,ST=San Francisco,C=US
* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peer's Certificate issuer is not recognized.
* Closing connection 0
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
服務端:
rejected connection from "192.168.3.3:46692" (error "remote error: tls: unknown certificate authority", ServerName "")
3.2 帶證書請求
curl --cacert /root/cfssl/ca.pem https://192.168.3.3:2379/v2/keys/foo -XPUT -d value=bar -v
請求結果如下:
> PUT /v2/keys/foo HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 192.168.3.3:2379
> Accept: */*
> Content-Length: 9
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 9 out of 9 bytes
< HTTP/1.1 200 OK
< Content-Type: application/json
< X-Etcd-Cluster-Id: cdf818194e3a8c32
< X-Etcd-Index: 5
< X-Raft-Index: 6
< X-Raft-Term: 2
< Date: Wed, 21 Nov 2018 06:49:58 GMT
< Content-Length: 163
<
{"action":"set","node":{"key":"/foo","value":"bar","modifiedIndex":5,"createdIndex":5},"prevNode":{"key":"/foo","value":"bar","modifiedIndex":4,"createdIndex":4}}
* Connection #0 to host 192.168.3.3 left intact
配置HTTPS成功