我正在使用docker rest客户端API来编写将连接到docker守护程序远程的客户端。我按照本页提到的文档中提到的步骤进行操作:
https://docs.docker.com/articles/https/
并生成所需的证书。
现在,当我尝试使用我的客户端时,我会收到以下消息的失败消息:
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
然后我尝试打印我的证书的CN名称中写的内容,这就是我所看到的:
joes@joes:~$ keytool -printcert -v -file server-cert.pem
Owner: CN=123.456.0.10
Issuer: CN=123.456.0.10, O=Internet Widgits Pty Ltd, ST=Some-State, C=IN
Serial number: 2
Valid from: Mon Nov 24 19:13:49 CET 2014 until: Sun Dec 19 19:13:49 CET 2055
Certificate fingerprints:
MD5: 80:72:7B:43:21:37:BE:48:20:D4:E8:94:6D:2C:73:51
SHA1: 36:9C:FB:D9:1E:1B:3F:D6:1C:32:6C:ED:F0:C6:88:95:44:1A:A4:20
SHA256: 49:C9:FD:39:29:D7:CF:78:14:49:86:47:CC:B5:F7:18:D3:B9:96:E5:34:52:6A:01:A6:88:1D:4B:E0:33:1B:D9
Signature algorithm name: SHA256withRSA
Version: 1
现在,当我为cert.pem文件执行相同操作时,我看到以下内容:
joes@joes:~$ keytool -printcert -v -file cert.pem
Owner: CN=client
Issuer: CN=123.456.0.10, O=Internet Widgits Pty Ltd, ST=Some-State, C=IN
Serial number: 3
Valid from: Mon Nov 24 19:16:06 CET 2014 until: Sun Dec 19 19:16:06 CET 2055
Certificate fingerprints:
MD5: A9:7D:56:69:FA:BD:01:40:CB:CB:C6:B6:BE:FD:EB:9F
SHA1: 24:1D:96:7E:02:26:D0:2B:14:F6:F2:7B:ED:7F:9C:06:1F:1D:91:81
SHA256: E9:15:C5:53:FC:E9:EB:5F:62:1D:34:CB:85:AB:B1:E8:9D:19:11:F0:34:04:AA:19:48:BA:CD:2A:ED:AA:90:47
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
clientAuth
]
我可以看到CN不同,但它应该是什么?应该是我的docker守护程序运行的服务器的CN吗?如果是这样,为什么docker文档具有以下内容:
For client authentication, create a client key and certificate signing request:
$ openssl genrsa -des3 -out key.pem 2048
Generating RSA private key, 2048 bit long modulus
...............................................+++
...............................................................+++
e is 65537 (0x10001)
Enter pass phrase for key.pem:
Verifying - Enter pass phrase for key.pem:
$ openssl req -subj '/CN=**client**' -new -key key.pem -out client.csr
Enter pass phrase for key.pem:
我应该在docker守护程序中设置哪些证书以及哪些证书适用于客户端?来自docker文档并不是那么清楚!