自签证书v2(SANs)

用户3448045726722
80 阅读7分钟

背景

Nginx ingress control pod报错

➜  ~ kubectl logs -f nginx-ingress-controller-67b575db85-fg5cq --namespace=kube-system

➜  ~ kubectl logs -f nginx-ingress-controller-67b575db85-qcglq --namespace=kube-system

根证书以及私钥创建

证书,可用于k8s集群ingress、docker

linux执行。不要在mac终端执行

ca-key密码,需要保留好

➜  helm git:(master) ✗ openssl genrsa -aes256 -out ca-key.pem 4096
Generating RSA private key, 4096 bit long modulus
...............................................................................................................................................++
..............................++
e is 65537 (0x10001)
Enter pass phrase for ca-key.pem:

4310156844:error:28FFF065:lib(40):CRYPTO_internal:result too small:/AppleInternal/Library/BuildRoots/66382bca-8bca-11ec-aade-6613bcf0e2ee/Library/Caches/com.apple.xbs/Sources/libressl/libressl-2.8/crypto/ui/ui_lib.c:830:You must type in 4 to 1023 characters

Enter pass phrase for ca-key.pem:
Verifying - Enter pass phrase for ca-key.pem:

➜  helm git:(master) ✗ openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -subj "/CN=argocd.litatom.com" -out ca.pem
Enter pass phrase for ca-key.pem:

➜  helm git:(master) ✗ ll
total 1376
-rw-r--r--   1 kk  staff   6.1K Apr 28 09:08 README.md
drwxr-xr-x  10 kk  staff   320B Apr 29 00:14 argo-cd
-rw-r--r--   1 kk  staff   100K Apr 29 00:06 argo-cd-4.5.7.tgz
-rw-r--r--   1 kk  staff   524K Apr 28 10:12 argo-cd_install.yaml
-rw-r--r--   1 kk  staff   1.0K May 11 23:18 argocd.cst
-rw-r--r--   1 kk  staff     0B May 11 23:15 argocd.key
-rw-r--r--   1 kk  staff   3.2K May 11 23:40 ca-key.pem
-rw-r--r--   1 kk  staff   1.6K May 11 23:18 ca.key
-rw-r--r--   1 kk  staff   1.7K May 11 23:40 ca.pem
drwxr-xr-x   4 kk  staff   128B May  1 17:28 iac
-rw-r--r--   1 kk  staff    13K Apr 28 21:13 jumpserver.yaml
-rw-r--r--   1 kk  staff   9.2K May 11 23:14 openssl.cnf
drwxr-xr-x   9 kk  staff   288B May  1 17:15 tas
-rw-r--r--   1 kk  staff   700B May 11 23:38 ustack.csr
-rw-r--r--   1 kk  staff   912B May 11 23:38 ustack.key

➜  helm git:(master) ✗ openssl genrsa -out server-key.pem 4096
Generating RSA private key, 4096 bit long modulus
..............................................................................++
...........++
e is 65537 (0x10001)

服务器证书签发

➜  helm git:(master) ✗ openssl req -new -sha256 \
    -key server-key.pem \
    -subj "/C=CN/OU=ORG/O=COMP/CN=NAME" \
    -reqexts SAN \
    -config <(cat openssl.cnf \
        <(printf "\n[SAN]\nsubjectAltName=DNS:*.*.com")) \
    -out server.csr

➜  helm git:(master) ✗ openssl x509 -req -days 365 \
    -in server.csr -out server-cert.pem \
    -CA ca.pem -CAkey ca-key.pem -CAcreateserial \
    -extensions SAN \
    -extfile <(cat openssl.cnf  <(printf "[SAN]\nsubjectAltName=DNS:*.*.com"))
Signature ok

subject=/C=CN/OU=ORG/O=COMP/CN=NAME
Getting CA Private Key
Enter pass phrase for ca-key.pem:

确认

➜  helm git:(master) ✗ openssl x509 -noout -text -in server-cert.pem

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 15734150207289624054 (0xda5aee401c2305f6)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=argocd.*.com
        Validity
            Not Before: May 11 15:57:55 2022 GMT
            Not After : May 11 15:57:55 2023 GMT
        Subject: C=CN, OU=ORG, O=COMP, CN=NAME
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:ae:5e:61:f6:06:4c:76:9e:06:cb:35:f1:54:e4:
                    36:c0:8f:cc:b0:f8:09:1a:81:1c:54:5c:58:54:17:
                    2d:e7:a3:a2:74:44:83:2a:04:d4:49:32:81:54:04:
                    6a:cc:fd:51:c0:7e:f1:2e:6e:9d:3e:dd:b5:2c:da:
                    e3:a4:d4:7e:40:7f:10:06:4a:f4:95:19:75:a8:3e:
                    13:7a:eb:87:95:0f:5b:0b:72:01:a4:4f:c4:d4:bc:
                    1a:68:59:cb:7e:a0:41:f9:23:ed:8c:e1:14:45:f6:
                    fd:17:08:87:76:97:25:97:49:e3:84:a3:84:ad:82:
                    a5:1a:0c:f0:02:88:1e:6f:2f:b1:30:94:b9:15:08:
                    0f:1a:37:85:42:f4:7a:61:52:bd:6a:cc:e4:aa:60:
                    54:9a:ef:31:30:84:9d:bc:b3:d3:e1:81:20:ad:c8:
                    f9:96:ce:e5:67:9f:89:e7:b9:ee:71:43:92:3b:9f:
                    57:a0:02:d1:2b:47:7e:ab:b6:1b:7c:a6:e7:13:42:
                    cc:12:ba:1b:96:f7:8e:82:da:d1:27:21:34:d8:8d:
                    e3:c2:e1:e1:ab:d8:9b:06:5a:1e:59:ac:ed:9d:9f:
                    c4:11:a5:0f:8b:37:55:d8:d7:07:c4:ed:4c:f7:39:
                    51:ea:9d:86:1d:34:0c:53:f3:16:bb:d3:c8:ed:ba:
                    2a:95:bf:58:e3:c7:44:35:2c:f1:c7:65:e4:52:92:
                    f8:4b:7f:58:c3:93:7e:f0:7d:9f:be:a0:98:96:88:
                    b5:fd:a6:e4:ec:66:de:a1:4f:d3:0c:9e:22:c6:ef:
                    e4:50:e1:dc:2a:f2:ef:54:2d:91:2d:93:54:68:01:
                    80:78:0f:4e:15:17:92:e7:45:aa:54:88:d3:d0:16:
                    7b:67:1c:02:bc:bc:68:31:c2:68:b0:82:43:ed:f4:
                    35:8d:7f:bf:f8:4a:20:20:54:85:01:71:aa:23:e9:
                    2e:60:51:4a:c5:54:f9:1e:9a:35:0e:92:6a:12:dd:
                    12:d5:1b:d4:b8:d3:32:14:00:c7:e4:05:27:46:57:
                    8c:56:58:24:7a:4f:34:04:ae:1c:2a:36:76:25:47:
                    29:73:8a:3a:f5:52:1f:1b:23:8a:eb:8d:ff:24:ef:
                    ec:8d:b6:25:81:62:45:54:bb:44:f9:15:51:2b:23:
                    af:b3:5a:31:9b:ae:f2:9c:bc:ea:cb:3a:01:99:75:
                    62:3f:51:05:9a:d3:18:17:1d:f0:f0:06:3a:99:fe:
                    13:ac:d1:51:7a:1f:80:b8:6a:b9:70:f8:78:1c:ca:
                    6b:a0:32:65:c5:be:ca:d7:2c:86:c1:0a:db:2e:35:
                    6a:33:79:48:3d:0a:0d:18:80:3e:a2:e4:b9:11:76:
                    6a:52:5b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:*.litatom.com
    Signature Algorithm: sha1WithRSAEncryption
         28:1b:1e:4a:8a:6f:7d:68:fd:6c:29:c7:d6:27:4e:40:ec:36:
         ce:3d:0e:a7:e3:cf:21:a4:b1:12:f6:bd:ac:b1:82:1e:90:7f:
         02:d9:3c:9b:71:d5:ce:c7:3b:78:44:44:d7:b6:17:67:2d:b1:
         ea:71:9f:c6:d3:97:08:da:85:c5:f8:c0:c4:a2:bd:60:d4:a0:
         ab:f4:40:e3:f6:9e:93:fc:e2:31:49:63:b1:3e:b9:e2:52:9b:
         7c:ea:99:e4:ea:45:27:57:09:b8:48:3d:6d:1b:f0:90:21:34:
         35:ce:0d:97:f0:3d:5f:02:4c:ad:b8:f7:ec:ba:f7:8c:14:32:
         8f:e8:e4:29:dc:a6:d3:20:2a:1e:9f:e8:d2:a0:91:03:bf:4c:
         f9:4d:db:d8:2b:f4:16:62:ec:cb:e7:fc:a3:1c:69:f5:79:14:
         5e:69:a6:b1:7b:46:01:7b:4a:89:0b:99:f9:16:0d:d5:36:96:
         2b:5b:c8:27:14:2f:7a:82:b9:92:69:39:fe:4b:65:70:a4:b4:
         68:5e:b5:dd:41:55:09:8a:22:53:2a:72:8b:f2:05:64:1c:7e:
         21:17:c1:14:e2:ca:3d:1a:cd:7b:78:4f:d8:6f:2f:4f:7c:68:
         51:13:1d:93:ff:2e:a0:17:74:1e:3f:1f:2c:4a:f3:d5:04:a5:
         78:e4:ab:5b:b4:11:f7:4e:f2:37:6b:74:b7:0a:4e:0f:de:f7:
         5f:86:19:0d:bc:a0:5b:91:7d:a6:91:dd:f8:d5:66:59:9e:61:
         7a:70:d0:58:7b:60:5e:7b:09:51:93:5e:09:20:77:b0:5b:8c:
         60:51:11:38:59:23:b6:d0:f4:ea:19:de:d6:13:3c:de:4e:d4:
         c7:0a:36:21:a6:a6:ac:0f:75:95:ad:64:10:de:45:cc:19:ce:
         85:04:95:33:e9:dc:5f:26:d5:e7:56:fe:da:93:69:ca:f6:2c:
         8a:65:07:09:3b:f4:5a:6f:c1:0e:74:ca:dc:cc:d0:ba:8c:3c:
         ee:43:81:ad:cf:9d:88:29:56:ca:c4:a3:c3:a6:e8:a2:dd:ce:
         af:cb:a0:80:64:b4:41:90:41:12:b3:12:30:af:a9:c0:8a:b4:
         3e:2d:21:a0:8b:ea:46:32:ce:89:84:c4:f3:1f:cb:11:73:68:
         22:82:cd:95:a4:18:99:8e:99:e3:2b:d3:e9:49:cd:c3:9a:ff:
         21:59:aa:6b:77:47:3c:fc:a6:5f:e1:2f:c3:32:98:7d:ac:be:
         43:13:d2:8c:2b:5d:c2:80:67:85:84:00:74:94:d0:7b:6f:cb:
         a3:7a:05:65:45:5b:43:15:18:2c:54:a5:a1:a4:54:96:db:43:
         cd:8b:c2:85:60:2c:5a:25

应用于k8s

➜  helm git:(master) ✗ kubectl create secret tls secret-https-argocd6 --key server-key.pem  --cert server-cert.pem --namespace=argocd
secret/secret-https-argocd6 created
avatar
文章
阅读
粉丝