Terraform 自签名证书 Openssl 验证失败
Terraform Self Signed Certificate Openssl Verification Fails
我正在尝试使用 Terraform 创建一个自签名证书,以便在 test/development 环境中内部使用。
我先创建一个CA私钥,自签名证书。
然后我为要启用 HTTPS 的内部域名创建证书签名请求和私钥。
然后我签署证书。这是我使用的整个 Terraform 清单:
resource "tls_private_key" "ca" {
algorithm = "ECDSA"
ecdsa_curve = "P384"
}
resource "tls_self_signed_cert" "ca" {
key_algorithm = "${tls_private_key.ca.algorithm}"
private_key_pem = "${tls_private_key.ca.private_key_pem}"
subject {
common_name = "Example CA"
organization = "Example, Ltd"
country = "GB"
}
validity_period_hours = 43800
is_ca_certificate = true
allowed_uses = [
"key_encipherment",
"digital_signature",
"server_auth",
"client_auth",
]
}
resource "tls_private_key" "registry" {
algorithm = "ECDSA"
ecdsa_curve = "P384"
}
resource "tls_cert_request" "registry" {
key_algorithm = "${tls_private_key.registry.algorithm}"
private_key_pem = "${tls_private_key.registry.private_key_pem}"
subject {
common_name = "registry.test.example.com"
organization = "Example, Ltd"
country = "GB"
}
dns_names = ["registry.test.example.com"]
}
resource "tls_locally_signed_cert" "registry" {
cert_request_pem = "${tls_cert_request.registry.cert_request_pem}"
ca_key_algorithm = "${tls_private_key.ca.algorithm}"
ca_private_key_pem = "${tls_private_key.ca.private_key_pem}"
ca_cert_pem = "${tls_self_signed_cert.ca.cert_pem}"
validity_period_hours = 43800
allowed_uses = [
"key_encipherment",
"digital_signature",
"server_auth",
"client_auth",
]
}
我 运行 Terraform 清单。然后我从状态文件中提取生成的证书并将它们保存到文件中。
我尝试使用 openssl 验证最终证书,但出现错误:
$ openssl verify -CAfile ca-cert.pem registry.pem
registry.pem: C = GB, ST = , L = , postalCode = , O = "Example, Ltd", OU = , CN = registry.example.com
error 20 at 0 depth lookup:unable to get local issuer certificate
知道问题出在哪里吗?我花了很多时间试图解决这个问题。
基本上我想使用它为我的 test/dev 环境中的私有 Docker 注册表启用 HTTPS。
您需要将 cert_signing 添加到 tls_private_key.ca.allowed_uses:
resource "tls_self_signed_cert" "ca" {
key_algorithm = "${tls_private_key.ca.algorithm}"
private_key_pem = "${tls_private_key.ca.private_key_pem}"
subject {
common_name = "Example CA"
organization = "Example, Ltd"
country = "GB"
}
validity_period_hours = 43800
is_ca_certificate = true
allowed_uses = [
"key_encipherment",
"digital_signature",
"server_auth",
"client_auth",
"cert_signing"
]
}
参见:https://www.terraform.io/docs/providers/tls/r/self_signed_cert.html#cert_signing
我正在尝试使用 Terraform 创建一个自签名证书,以便在 test/development 环境中内部使用。
我先创建一个CA私钥,自签名证书。
然后我为要启用 HTTPS 的内部域名创建证书签名请求和私钥。
然后我签署证书。这是我使用的整个 Terraform 清单:
resource "tls_private_key" "ca" {
algorithm = "ECDSA"
ecdsa_curve = "P384"
}
resource "tls_self_signed_cert" "ca" {
key_algorithm = "${tls_private_key.ca.algorithm}"
private_key_pem = "${tls_private_key.ca.private_key_pem}"
subject {
common_name = "Example CA"
organization = "Example, Ltd"
country = "GB"
}
validity_period_hours = 43800
is_ca_certificate = true
allowed_uses = [
"key_encipherment",
"digital_signature",
"server_auth",
"client_auth",
]
}
resource "tls_private_key" "registry" {
algorithm = "ECDSA"
ecdsa_curve = "P384"
}
resource "tls_cert_request" "registry" {
key_algorithm = "${tls_private_key.registry.algorithm}"
private_key_pem = "${tls_private_key.registry.private_key_pem}"
subject {
common_name = "registry.test.example.com"
organization = "Example, Ltd"
country = "GB"
}
dns_names = ["registry.test.example.com"]
}
resource "tls_locally_signed_cert" "registry" {
cert_request_pem = "${tls_cert_request.registry.cert_request_pem}"
ca_key_algorithm = "${tls_private_key.ca.algorithm}"
ca_private_key_pem = "${tls_private_key.ca.private_key_pem}"
ca_cert_pem = "${tls_self_signed_cert.ca.cert_pem}"
validity_period_hours = 43800
allowed_uses = [
"key_encipherment",
"digital_signature",
"server_auth",
"client_auth",
]
}
我 运行 Terraform 清单。然后我从状态文件中提取生成的证书并将它们保存到文件中。
我尝试使用 openssl 验证最终证书,但出现错误:
$ openssl verify -CAfile ca-cert.pem registry.pem
registry.pem: C = GB, ST = , L = , postalCode = , O = "Example, Ltd", OU = , CN = registry.example.com
error 20 at 0 depth lookup:unable to get local issuer certificate
知道问题出在哪里吗?我花了很多时间试图解决这个问题。
基本上我想使用它为我的 test/dev 环境中的私有 Docker 注册表启用 HTTPS。
您需要将 cert_signing 添加到 tls_private_key.ca.allowed_uses:
resource "tls_self_signed_cert" "ca" {
key_algorithm = "${tls_private_key.ca.algorithm}"
private_key_pem = "${tls_private_key.ca.private_key_pem}"
subject {
common_name = "Example CA"
organization = "Example, Ltd"
country = "GB"
}
validity_period_hours = 43800
is_ca_certificate = true
allowed_uses = [
"key_encipherment",
"digital_signature",
"server_auth",
"client_auth",
"cert_signing"
]
}
参见:https://www.terraform.io/docs/providers/tls/r/self_signed_cert.html#cert_signing