【问题标题】:The '--ca-file' flag of etcdctl is useless?etcdctl 的“--ca-file”标志没用?
【发布时间】:2015-11-25 16:32:59
【问题描述】:

我已经使用以下命令设置了etcd 服务器:

etcd -name infra0 -initial-advertise-peer-urls http://192.168.99.240:2380 -listen-peer-urls http://192.168.99.240:2380 -listen-client-urls https://192.168.99.240:2379,https://127.0.0.1:2379 -advertise-client-urls https://192.168.99.240:2379 -initial-cluster-token etcd-cluster-1 -initial-cluster infra0=http://192.168.99.240:2380 -initial-cluster-state new -client-cert-auth -trusted-ca-file=/home/docker/ssl/ca.crt -cert-file=/home/docker/ssl/server.crt -key-file=/home/docker/ssl/server.key

我可以使用curl从中获取数据:

curl --cacert /home/kubernetes/ssl/server.crt --cert /home/kubernetes/ssl/ca.crt --key /home/kubernetes/ssl/ca.key -L https://192.168.99.240:2379/v2/keys/coreos.com/network/config -XGET

上面的命令返回:

{"action":"get","node":{"key":"/coreos.com/network/config","value":"{\"Network\":\"10.0.0.0/8\"}","modifiedIndex":10,"createdIndex":10}}

但是当我使用etcdctl:

etcdctl --peers=https://192.168.99.240:2379 --ca-file=/home/kubernetes/ssl/server.crt --cert-file=/home/kubernetes/ssl/ca.crt --key-file=/home/kubernetes/ssl/ca.key ls

返回:

Error:  client: etcd cluster is unavailable or misconfigured
error #0: x509: cannot validate certificate for 192.168.99.240 because it doesn't contain any IP SANs

我还以为是证书验证失败,那为什么etcdctl--ca-file标志会生效呢?还是我的命令有问题?

我使用的etcd版本是:

etcdctl --version
etcdctl version 2.2.1

【问题讨论】:

    标签: etcd


    【解决方案1】:

    问题解决了。

    curl可以成功访问etcdetcdctl不能访问的原因是我使用的自签名证书不够安全,curl忽略了它而etcdctl没有。

    以下是生成安全证书的步骤(从kubernetes的文档复制并修改)。

    首先,您应该修改/etc/ssl/openssl.cnf:将basicConstraints标志设置为CA:TURE,并在v3_ca下添加subjectAltName = IP:<MASTER_IP>

    然后您可以按照以下步骤生成证书。

    #1. Generate a ca.key with 2048bit 
    openssl genrsa -out ca.key 2048
    #2. According to the ca.key generate a ca.crt. (-days set the certificate effective time). 
    openssl req -x509 -new -nodes -key ca.key -subj "/CN=${MASTER_IP}" -days 10000 -out ca.crt
    #3. Generate a server.key with 2048bit 
    openssl genrsa -out server.key 2048
    #4. According to the server.key generate a server.csr. 
    openssl req -new -key server.key -subj "/CN=${MASTER_IP}" -out server.csr
    #5. According to the ca.key, ca.crt and server.csr generate the server.crt.
    openssl x509 -req -days 1000 -in server.csr -signkey server.key -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -extensions v3_req -extensions v3_ca -extfile /etc/ssl/openssl.cnf
    #6. View the certificate. 
    openssl x509 -noout -text -in ./server.crt
    

    然后使用以下命令运行etcd

    etcd -name infra0 -initial-advertise-peer-urls http://192.168.99.240:2380 -listen-peer-urls http://192.168.99.240:2380 -listen-client-urls https://192.168.99.240:2379,https://127.0.0.1:2379 -advertise-client-urls https://192.168.99.240:2379 -initial-cluster-token etcd-cluster-1 -initial-cluster infra0=http://192.168.99.240:2380 -initial-cluster-state new -client-cert-auth -trusted-ca-file=ca.crt -cert-file=server.crt -key-file=server.key
    

    现在我们可以使用以下命令访问etcd

    etcdctl --peers=https://192.168.99.240:2379 --ca-file=ca.crt --cert-file=ca.crt --key-file=ca.key ls
    

    注意etcdctl--ca-file 标志是ca.crt,而不是server.crt

    【讨论】:

      猜你喜欢
      • 2020-09-01
      • 1970-01-01
      • 2022-09-27
      • 1970-01-01
      • 1970-01-01
      • 2019-05-13
      • 1970-01-01
      • 2015-09-14
      • 2018-04-06
      相关资源
      最近更新 更多