无法验证 <ip-address> 的证书,因为它不包含任何 IP SAN
cannot validate certificate for <ip-address> because it doesn't contain any IP SANs
我正在开发 GitLab CI 管道,它将部署我的 docker 堆栈。我正在尝试将 $DOCKER_HOST 设置为 tcp://DROPLET_IP:2377,但我收到一条错误消息,指出我的证书不包含任何 IP SAN。我正在使用 Digital Ocean Droplet 进行测试,所以我还没有为我的 Droplet 设置域名。
deploy:
stage: deploy
image: docker:stable
services:
- docker:dind
variables:
DOCKER_HOST: "tcp://$DROPLET_IP:2377"
DOCKER_TLS_VERIFY: 1
before_script:
- mkdir -p ~/.docker
- echo "$TLS_CA_CERT" > ~/.docker/ca.pem
- echo "$TLS_CERT" > ~/.docker/cert.pem
- echo "$TLS_KEY" > ~/.docker/key.pem
script:
- docker login -u gitlab-ci-token -p "$CI_JOB_TOKEN" "$CI_REGISTRY"
- docker info
- docker stack deploy --with-registry-auth --compose-file=docker-stack.yml mystack
这是我在 GitLab CI 作业的输出中遇到的错误:
$ docker login -u gitlab-ci-token -p "$CI_JOB_TOKEN" "$CI_REGISTRY"
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
error during connect: Post https://<ip-address>:2377/v1.39/auth: x509: cannot validate certificate for <ip-address> because it doesn't contain any IP SANs
我正在使用以下一组命令生成我的证书(ca.pem、server-cert.pem 和 server-key.pem),我想在我的 [=18= 中使用它们]阶段如上所述。我已将 TLS_CA_CERT、TLS_CERT 和 TLS_KEY 保存到 GitLab CI 中使用的变量中。
openssl genrsa -aes256 -out ca-key.pem 4096
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
openssl genrsa -out server-key.pem 4096
openssl req -subj "/CN=<ip-address>" -sha256 -new -key server-key.pem -out server.csr
echo subjectAltName = IP:<ip-address> >> extfile.cnf
echo extendedKeyUsage = serverAuth >> extfile.cnf
openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out server-cert.pem -extfile extfile.cnf
我看到您在 subjectAltName
中包含了 IP 地址
echo subjectAltName = IP:<ip-address> >> extfile.cnf
检查,as in here,如果这是配置问题:
I put subjectAltName in the wrong section. Working method: Basically I edited openssl.cnf, in section [v3_ca] I added 'subjectAltName = IP:192.168.2.107'.
Produced new certificate and added to server + client.
您需要确保您的扩展在 v3_ca 部分声明为 shown here.
从 OpenSSL 1.1.1 开始,直接在命令行上提供 subjectAltName 变得 容易得多 ,因为 -addext 标志被引入 openssl req
示例:
export HOST="my.host"
export IP="127.0.0.1"
openssl req -newkey rsa:4096 -nodes -keyout ${HOST}.key -x509 -days 365 -out ${HOST}.crt -addext 'subjectAltName = IP:${IP}' -subj '/C=US/ST=CA/L=SanFrancisco/O=MyCompany/OU=RND/CN=${HOST}/'
灵感来自 link
我正在开发 GitLab CI 管道,它将部署我的 docker 堆栈。我正在尝试将 $DOCKER_HOST 设置为 tcp://DROPLET_IP:2377,但我收到一条错误消息,指出我的证书不包含任何 IP SAN。我正在使用 Digital Ocean Droplet 进行测试,所以我还没有为我的 Droplet 设置域名。
deploy:
stage: deploy
image: docker:stable
services:
- docker:dind
variables:
DOCKER_HOST: "tcp://$DROPLET_IP:2377"
DOCKER_TLS_VERIFY: 1
before_script:
- mkdir -p ~/.docker
- echo "$TLS_CA_CERT" > ~/.docker/ca.pem
- echo "$TLS_CERT" > ~/.docker/cert.pem
- echo "$TLS_KEY" > ~/.docker/key.pem
script:
- docker login -u gitlab-ci-token -p "$CI_JOB_TOKEN" "$CI_REGISTRY"
- docker info
- docker stack deploy --with-registry-auth --compose-file=docker-stack.yml mystack
这是我在 GitLab CI 作业的输出中遇到的错误:
$ docker login -u gitlab-ci-token -p "$CI_JOB_TOKEN" "$CI_REGISTRY"
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
error during connect: Post https://<ip-address>:2377/v1.39/auth: x509: cannot validate certificate for <ip-address> because it doesn't contain any IP SANs
我正在使用以下一组命令生成我的证书(ca.pem、server-cert.pem 和 server-key.pem),我想在我的 [=18= 中使用它们]阶段如上所述。我已将 TLS_CA_CERT、TLS_CERT 和 TLS_KEY 保存到 GitLab CI 中使用的变量中。
openssl genrsa -aes256 -out ca-key.pem 4096
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
openssl genrsa -out server-key.pem 4096
openssl req -subj "/CN=<ip-address>" -sha256 -new -key server-key.pem -out server.csr
echo subjectAltName = IP:<ip-address> >> extfile.cnf
echo extendedKeyUsage = serverAuth >> extfile.cnf
openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out server-cert.pem -extfile extfile.cnf
我看到您在 subjectAltName
echo subjectAltName = IP:<ip-address> >> extfile.cnf
检查,as in here,如果这是配置问题:
I put subjectAltName in the wrong section. Working method: Basically I edited
openssl.cnf, in section[v3_ca]I added 'subjectAltName = IP:192.168.2.107'.
Produced new certificate and added to server + client.
您需要确保您的扩展在 v3_ca 部分声明为 shown here.
从 OpenSSL 1.1.1 开始,直接在命令行上提供 subjectAltName 变得 容易得多 ,因为 -addext 标志被引入 openssl req
示例:
export HOST="my.host"
export IP="127.0.0.1"
openssl req -newkey rsa:4096 -nodes -keyout ${HOST}.key -x509 -days 365 -out ${HOST}.crt -addext 'subjectAltName = IP:${IP}' -subj '/C=US/ST=CA/L=SanFrancisco/O=MyCompany/OU=RND/CN=${HOST}/'
灵感来自 link