我试图使用docker在Valut上运行TLS。首先生成证书并使用Vault服务器模式运行docker容器。之后我运行vault init命令返回错误:
初始化错误:放置https://127.0.0.1:8200/v1/sys/init:x509:无法验证127.0.0.1的证书,因为它不包含任何IP SAN
我可以使用-tls-skip-verify但不是解决方案。
我使用openssl.cnf文件生成证书:
[ ca ]
default_ca = testca
[ testca ]
dir = .
certificate = $dir/cacert.pem
database = $dir/index.txt
new_certs_dir = $dir/certs
private_key = $dir/private/cakey.pem
serial = $dir/serial
default_crl_days = 7
default_days = 365
default_md = sha256
policy = testca_policy
x509_extensions = certificate_extensions
[ testca_policy ]
commonName = supplied
stateOrProvinceName = optional
countryName = optional
emailAddress = optional
organizationName = optional
organizationalUnitName = optional
domainComponent = optional
[ certificate_extensions ]
basicConstraints = CA:false
[ req ]
default_bits = 2048
default_keyfile = ./private/cakey.pem
default_md = sha256
prompt = yes
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions
[ root_ca_distinguished_name ]
commonName = hostname
[ root_ca_extensions ]
basicConstraints = CA:true
keyUsage = keyCertSign, cRLSign
subjectAltName = @alt_names
[ client_ca_extensions ]
basicConstraints = CA:false
keyUsage = digitalSignature,keyEncipherment
extendedKeyUsage = 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2
subjectAltName = @alt_names
[ server_ca_extensions ]
basicConstraints = CA:false
keyUsage = digitalSignature,keyEncipherment
extendedKeyUsage = 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2
subjectAltName = @alt_names
[ alt_names ]
DNS.0 = localhost
DNS.1 = 127.0.0.1
DNS.2 = 0.0.0.0
这些命令用于生成CA cert.pem和key.pem:
openssl req -x509 -config openssl.cnf -newkey rsa:2048 -days 365 -out cacert.pem -outform PEM -subj /CN=MyTestCA/ -nodes
openssl x509 -in cacert.pem -out cacert.cer -outform DER
要运行docker容器我使用:
docker run --cap-add=IPC_LOCK -e 'VAULT_LOCAL_CONFIG={"listener":[{"tcp":{"address":"127.0.0.1:8200", "tls_cert_file":"/vault/ca/cacert.pem", "tls_key_file":"/vault/ca/private/cakey.pem"}}], "backend": {"file": {"path": "/vault/file"}}, "default_lease_ttl": "168h", "max_lease_ttl": "720h"}' -p8201:8200 --name vault-server -v/tmp/vault-conf/ca-keys:/vault/ca vault server
Docker使用Vault conf文件中使用的证书安装文件夹。
有泊坞日志:
This usually means that the mlock syscall is not available.
Vault uses mlock to prevent memory from being swapped to
disk. This requires root privileges as well as a machine
that supports mlock. Please enable mlock on your system or
disable Vault from using it. To disable Vault from using it,
set the `disable_mlock` configuration option in your configuration
file.
==> Vault server configuration:
Cgo: disabled
Listener 1: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", tls: "enabled")
Log Level: info
Mlock: supported: true, enabled: true
Storage: file
Version: Vault v0.9.6
Version Sha: 7e1fbde40afee241f81ef08700e7987d86fc7242
==> Vault server started! Log data will stream in below:
现在在docker容器内的exec命令vault init之后,它返回错误。
生成的cacert.pem文件在SAN中包含127.0.0.1 IP地址。
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
X509v3 Subject Alternative Name:
DNS:localhost, DNS:127.0.0.1, DNS:0.0.0.0
我犯了哪个错误?
答案 0 :(得分:1)
您似乎只是将DNS部分更新为:
[ alt_names ]
DNS.0 = localhost
IP.1 = 127.0.0.1
IP.2 = 0.0.0.0
答案 1 :(得分:0)
要使自签名证书仅使用 IP(而非域名),请为 IP 指定主题备用名称 (SAN)。
vim req.conf
[req]
default_bits = 4096
default_md = sha256
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = WA
L = Seattle
O = NoCompany
OU = Orgainizational_Unit
CN = 10.0.0.2
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
IP.1 = 10.0.0.2
openssl req -new -nodes -x509 -days 365 -keyout dockerregistry.key -out
dockerregistry.crt -config req.conf
在客户端机器上,如果您为私有注册表执行此操作:
sudo vim /etc/docker/daemon.json
{
"insecure-registries" : [ "10.0.0.2:5000" ]
}
sudo systemctl restart docker