Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ETCD TLS证书制作及证书验证 (指导TLS证书配置) #25

Open
opvexe opened this issue Apr 8, 2023 · 0 comments
Open

ETCD TLS证书制作及证书验证 (指导TLS证书配置) #25

opvexe opened this issue Apr 8, 2023 · 0 comments

Comments

@opvexe
Copy link
Contributor

opvexe commented Apr 8, 2023
edited
Loading

客户端TLS证书设置

使用了客户端证书、客户端私钥和受信任的 CA 证书(即 CertFile、KeyFile 和 TrustedCAFile)。这意味着在 etcd 客户端与 etcd 服务器之间建立 TLS 连接时,客户端会使用这些证书进行身份验证,并验证 etcd 服务器使用的证书是否由受信任的 CA 签名。如果任何一个验证步骤失败,TLS 连接将被终止。

如果你没有特殊的安全要求,可以使用上面提供的本地测试证书进行测试。在这种情况下,你可以将 CertFile、KeyFile 和 TrustedCAFile 分别设置为以下值:

CertFile: 客户端证书文件路径,例如 client.crt
KeyFile: 客户端私钥文件路径,例如 client.key
TrustedCAFile: 受信任的 CA 证书文件路径,例如 ca.crt

如果你使用的是自己的证书,可以将这些值设置为相应证书的文件路径。

生成测试证书 (CN为: localhost, 192.168.31.108)

其中 192.168.31.108 为当前主机的IP。(Macos->Wifi 设置->IP地址)

生成CA证书:
openssl genrsa -out ca.key 4096
openssl req -new -key ca.key -x509 -days 3650 -out ca.crt -subj "/CN=etcd-ca"
生产服务端证书:
openssl genrsa -out server.key 4096
openssl req -new -key server.key -out server.csr -subj "/CN=localhost"
echo "subjectAltName = DNS:localhost, IP:192.168.31.108" > extfile.cnf
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3650 -extfile extfile.cnf
生成客户端证书:
openssl genrsa -out client.key 4096
openssl req -new -key client.key -out client.csr -subj "/CN=etcd-client"
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 3650
Etcd 配置文件中,需要指定以下参数:
etcd:
  listen_client_urls: https://0.0.0.0:2379
  listen_peer_urls: https://0.0.0.0:2380
  advertise_client_urls: https://localhost:2379
  initial_advertise_peer_urls: https://localhost:2380
  cert_file: /path/to/server.crt          # 指定 etcd 使用的证书和私钥
  key_file: /path/to/server.key          # 指定 etcd 使用的证书和私钥
  trusted_ca_file: /path/to/ca.crt     # 指定 etcd 使用的 CA 证书
  client_cert_auth: true              # 启用 client auth,客户端需要提供证书进行认证

部署 Etcd 单机版 (docker)

version: '3'
services:
  etcd:
    image: quay.io/coreos/etcd:v3.5.0
    command: ["etcd", "--cert-file=/certs/server.crt", "--key-file=/certs/server.key", "--client-cert-auth", "--trusted-ca-file=/certs/ca.crt", "--advertise-client-urls=https://localhost:2379", "--listen-client-urls=https://0.0.0.0:2379"]
    volumes:
      - ./certs:/certs
    ports:
      - "2379:2379"
    restart: always
@opvexe opvexe changed the title ETCD TLS证书制作及证书验证 ETCD TLS证书制作及证书验证 (指导TLS证书配置) Apr 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@opvexe