当前位置: 文江博客话题详情

自签名的证书在Docker内部不起作用以在容器之间进行通信

发布于 2025-01-30 10:47:34 字数 3097 浏览 4 评论 0原文

我有一个Docker-Compose,其中Minio,Minio/KES和Vault一起交谈。 Minio/KES和Vault都需要TLS,我使用IP地址的自签名方法为其创建证书。 我使用此命令生成证书:

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout server.key -out server.cert \
       -subj "/C=/ST=/L=/O=/CN=localhost" -addext "subjectAltName = IP:127.0.0.1"

这是我的docker-compose文件:

version: '3.7'
services:
  minio:
    image: minio/minio:RELEASE.2021-02-01T22-56-52Z
    container_name: minio
    restart: always
    volumes:
      - /home/zahra/docker/minio/data:/data
      - /home/zahra/docker/kes/certs:/root/.minio/kes/certs
    ports:
      - "9003:9000"
    expose:
      - "9003"
    environment:
      MINIO_ROOT_USER: minio
      MINIO_ROOT_PASSWORD: minio123
      MINIO_KMS_KES_ENDPOINT: https://minio-kes:7373
      MINIO_KMS_KES_CERT_FILE: /root/.minio/kes/certs/client.cert
      MINIO_KMS_KES_KEY_FILE: /root/.minio/kes/certs/client.key
      MINIO_KMS_KES_CA_PATH: /root/.minio/kes/certs/server.cert
      MINIO_KMS_KES_KEY_NAME: test-key
      MINIO_KMS_AUTO_ENCRYPTION: 1
    command: server /data
    healthcheck:
      test: [ "CMD", "curl", "-f", "http://localhost:9000/minio/health/live" ]
      interval: 30s
      timeout: 20s
      retries: 3    
    networks: 
      - minio-network 
    
  minio-kes:
    image: minio/kes:v0.19.2
    container_name: minio-kes
    restart: always
    volumes:
      - /home/zahra/docker/kes/certs:/root/.kes/certs    
      - /home/zahra/docker/kes/config:/root/.kes/config
      - /home/zahra/docker/vault/certs:/root/.kes/vault/certs
    environment:
      - KES_SERVER=https://minio-vault:7373
      - KES_CLIENT_KEY=/root/.kes/certs/client.key
      - KES_CLIENT_CERT=/root/.kes/certs/client.cert      
    ports:
      - "7373:7373"
    command: server --config=/root/.kes/config/config.yaml --auth=off 
    expose:
      - "7373"
    networks:  
      - minio-network 
    depends_on:
      - minio-vault    
      
  minio-vault:
        image: vault:latest
        container_name: minio-vault
        ports:
          - "8200:8200"
        volumes:
          - /home/zahra/docker/vault/file:/vault/file
          - /home/zahra/docker/vault/config:/vault/config
          - /home/zahra/docker/vault/certs:/vault/certs
          - /home/zahra/docker/vault/policy:/vault/policy
        environment:
          - VAULT_ADDR=https://127.0.0.1:8200
          - VAULT_SKIP_VERIFY=true
          - VAULT_TOKEN=MY-TOKEN
        cap_add:
          - IPC_LOCK
        entrypoint: vault server -config=/vault/config/config.json
        networks:  
          - minio-network  
     
networks:
  minio-network:
    driver: bridge

我的问题是,在docker中,我必须使用容器名称而不是服务的IP地址,因此它给了我以下错误: X509:证书对任何名称均无效,而是想匹配Minio-Kes 或者 X509:证书对任何名称均无效,而是想匹配Minio-Vault。

Minio-Kes和Minio-Kes是我的容器名称。

我试图在用我的容器名称生成证书时替换通用名称(CN),但同样行不通。例如:

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout server.key -out server.cert \
       -subj "/C=/ST=/L=/O=/CN=minio-kes" -addext "subjectAltName = IP:127.0.0.1"

我不知道如何生成证书以在Docker内部工作。

原文

I have a docker-compose in which minio, minio/kes and vault talk together. Both minio/kes and vault need TLS, and I used self-signed method with IP address to create certificate for them.
I use this command to generate certificate:

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout server.key -out server.cert \
       -subj "/C=/ST=/L=/O=/CN=localhost" -addext "subjectAltName = IP:127.0.0.1"

here is my docker-compose file:

version: '3.7'
services:
  minio:
    image: minio/minio:RELEASE.2021-02-01T22-56-52Z
    container_name: minio
    restart: always
    volumes:
      - /home/zahra/docker/minio/data:/data
      - /home/zahra/docker/kes/certs:/root/.minio/kes/certs
    ports:
      - "9003:9000"
    expose:
      - "9003"
    environment:
      MINIO_ROOT_USER: minio
      MINIO_ROOT_PASSWORD: minio123
      MINIO_KMS_KES_ENDPOINT: https://minio-kes:7373
      MINIO_KMS_KES_CERT_FILE: /root/.minio/kes/certs/client.cert
      MINIO_KMS_KES_KEY_FILE: /root/.minio/kes/certs/client.key
      MINIO_KMS_KES_CA_PATH: /root/.minio/kes/certs/server.cert
      MINIO_KMS_KES_KEY_NAME: test-key
      MINIO_KMS_AUTO_ENCRYPTION: 1
    command: server /data
    healthcheck:
      test: [ "CMD", "curl", "-f", "http://localhost:9000/minio/health/live" ]
      interval: 30s
      timeout: 20s
      retries: 3    
    networks: 
      - minio-network 
    
  minio-kes:
    image: minio/kes:v0.19.2
    container_name: minio-kes
    restart: always
    volumes:
      - /home/zahra/docker/kes/certs:/root/.kes/certs    
      - /home/zahra/docker/kes/config:/root/.kes/config
      - /home/zahra/docker/vault/certs:/root/.kes/vault/certs
    environment:
      - KES_SERVER=https://minio-vault:7373
      - KES_CLIENT_KEY=/root/.kes/certs/client.key
      - KES_CLIENT_CERT=/root/.kes/certs/client.cert      
    ports:
      - "7373:7373"
    command: server --config=/root/.kes/config/config.yaml --auth=off 
    expose:
      - "7373"
    networks:  
      - minio-network 
    depends_on:
      - minio-vault    
      
  minio-vault:
        image: vault:latest
        container_name: minio-vault
        ports:
          - "8200:8200"
        volumes:
          - /home/zahra/docker/vault/file:/vault/file
          - /home/zahra/docker/vault/config:/vault/config
          - /home/zahra/docker/vault/certs:/vault/certs
          - /home/zahra/docker/vault/policy:/vault/policy
        environment:
          - VAULT_ADDR=https://127.0.0.1:8200
          - VAULT_SKIP_VERIFY=true
          - VAULT_TOKEN=MY-TOKEN
        cap_add:
          - IPC_LOCK
        entrypoint: vault server -config=/vault/config/config.json
        networks:  
          - minio-network  
     
networks:
  minio-network:
    driver: bridge

My problem is that inside docker, I have to use the container-name instead of the IP address of my services, so it gives me the following error:
x509 :certificate is not valid for any names but wanted to match minio-kes
or
x509 :certificate is not valid for any names but wanted to match minio-vault.

minio-kes and minio-kes are my container names.

I tried to replace the common name (CN) while generating the certificate with the name of my container, but again it didn’t work. For example:

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout server.key -out server.cert \
       -subj "/C=/ST=/L=/O=/CN=minio-kes" -addext "subjectAltName = IP:127.0.0.1"

I don’t know how I should generate certificate in order to work inside docker.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

怪异←思 2025-02-06 10:47:34

如果您使用域名连接,则必须将这些域名添加到证书中。这可以通过将-Addext“ subjectaltname = dns:minio-kes”添加到OpenSSL命令来实现。

证书可以对多个域名有效。只需多次添加参数即可在证书中添加多个域名。

另外,有关更多详细信息,请参见此答案

If you are using the domain names to connect, you must add these domain names to the certificate. This can be achieved by adding -addext "subjectAltName = DNS:minio-kes" to the openssl command.

A certificate can be made valid for multiple domain names. Just add the parameter multiple times in order to add multiple domain names to the certificate.

Also see this answer for further details.

回复 原文
~没有更多了~

关于作者

信愁

暂无简介

文章
评论
26 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

达拉崩吧

文章 0 评论 0

PANGOO

文章 0 评论 0

kkgtx

文章 0 评论 0

WordPress小学生

文章 0 评论 0

酷炫老祖宗

文章 0 评论 0

硪扪都還晓

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文