1. 首頁
  2. 問答
  3. etcdctl的'-ca-file'標誌是沒用的?

etcdctl的'-ca-file'標誌是沒用的?

2015-11-18 24 views
0

我已成立了一個etcd服務器與下面的命令:etcdctl的'-ca-file'標誌是沒用的?

etcd -name infra0 -initial-advertise-peer-urls http://192.168.99.240:2380 -listen-peer-urls http://192.168.99.240:2380 -listen-client-urls https://192.168.99.240:2379,https://127.0.0.1:2379 -advertise-client-urls https://192.168.99.240:2379 -initial-cluster-token etcd-cluster-1 -initial-cluster infra0=http://192.168.99.240:2380 -initial-cluster-state new -client-cert-auth -trusted-ca-file=/home/docker/ssl/ca.crt -cert-file=/home/docker/ssl/server.crt -key-file=/home/docker/ssl/server.key

而且我可以從它與curl獲取數據:

curl --cacert /home/kubernetes/ssl/server.crt --cert /home/kubernetes/ssl/ca.crt --key /home/kubernetes/ssl/ca.key -L https://192.168.99.240:2379/v2/keys/coreos.com/network/config -XGET

上面的命令返回:

{"action":"get","node":{"key":"/coreos.com/network/config","value":"{\"Network\":\"10.0.0.0/8\"}","modifiedIndex":10,"createdIndex":10}}

但是當我使用etcdctl

etcdctl --peers=https://192.168.99.240:2379 --ca-file=/home/kubernetes/ssl/server.crt --cert-file=/home/kubernetes/ssl/ca.crt --key-file=/home/kubernetes/ssl/ca.key ls

它返回:

Error: client: etcd cluster is unavailable or misconfigured 
error #0: x509: cannot validate certificate for 192.168.99.240 because it doesn't contain any IP SANs

我認爲這是因爲證書的驗證失敗,那麼爲什麼的etcdctl--ca-file標誌生效?或者我的命令有問題嗎?

我使用的ETCD版本是:

etcdctl --version 
etcdctl version 2.2.1

來源

2015-11-18 Sun Gengze

回答

0

問題解決了。

的原因curl可以成功訪問etcdetcdctl不能是我使用的是自簽名證書不夠安全,curl忽略它,但etcdctl沒有。

以下是生成安全證書的步驟(從kubernetes文檔中複製並修改)。

首先,你應該修改/etc/ssl/openssl.cnf:在basicConstraints標誌設置爲CA:TUREv3_ca下添加subjectAltName = IP:<MASTER_IP>

然後您可以按照以下步驟生成證書。

#1. Generate a ca.key with 2048bit 
openssl genrsa -out ca.key 2048 
#2. According to the ca.key generate a ca.crt. (-days set the certificate effective time). 
openssl req -x509 -new -nodes -key ca.key -subj "/CN=${MASTER_IP}" -days 10000 -out ca.crt 
#3. Generate a server.key with 2048bit 
openssl genrsa -out server.key 2048 
#4. According to the server.key generate a server.csr. 
openssl req -new -key server.key -subj "/CN=${MASTER_IP}" -out server.csr 
#5. According to the ca.key, ca.crt and server.csr generate the server.crt. 
openssl x509 -req -days 1000 -in server.csr -signkey server.key -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -extensions v3_req -extensions v3_ca -extfile /etc/ssl/openssl.cnf 
#6. View the certificate. 
openssl x509 -noout -text -in ./server.crt

然後用下面的命令運行etcd

etcd -name infra0 -initial-advertise-peer-urls http://192.168.99.240:2380 -listen-peer-urls http://192.168.99.240:2380 -listen-client-urls https://192.168.99.240:2379,https://127.0.0.1:2379 -advertise-client-urls https://192.168.99.240:2379 -initial-cluster-token etcd-cluster-1 -initial-cluster infra0=http://192.168.99.240:2380 -initial-cluster-state new -client-cert-auth -trusted-ca-file=ca.crt -cert-file=server.crt -key-file=server.key

現在,我們可以在下面命令訪問etcd

etcdctl --peers=https://192.168.99.240:2379 --ca-file=ca.crt --cert-file=ca.crt --key-file=ca.key ls

注意的etcdctl--ca-file標誌ca.crt,不server.crt

來源

2015-11-25 08:32:59

相關問題

 相關問題