Google 负载均衡器拒绝自签名证书
Google Load balancer refuses self-signed certificate
-
openssl
-
ssl-certificate
-
google-cloud-platform
-
google-cloud-load-balancer
-
google-cloud-http-load-balancer
我想创建一个自签名证书用于 Google Loadbalancer,我编写了以下脚本来准备它:
#!/bin/bash
FQDN=*.domain.net
SUBJ="/C=CZ/ST=Country/L=City/O=Authority/CN=$FQDN"
VALIDITY=3650
# make directories to work from
mkdir -p certs
# generate self signed root CA cert
openssl req -nodes -x509 -newkey rsa:2048 -keyout certs/ca.key -out certs/ca.crt -subj $SUBJ
# generate server cert to be signed
openssl req -nodes -newkey rsa:2048 -keyout certs/server.key -out certs/server.csr -subj $SUBJ
# sign the server cert
openssl x509 -req -in certs/server.csr -CA certs/ca.crt -CAkey certs/ca.key -CAcreateserial -out certs/server.crt
# create server PEM file
cat certs/server.key certs/server.crt > certs/server.pem
# generate client cert to be signed
openssl req -nodes -newkey rsa:2048 -days $VALIDITY -keyout certs/client.key -out certs/client.csr -subj $SUBJ
# sign the client cert
openssl x509 -req -in certs/client.csr -CA certs/ca.crt -CAkey certs/ca.key -CAserial certs/ca.srl -out certs/client.crt
# create client PEM file
cat certs/client.key certs/client.crt > certs/client.pem
这可以正常工作并生成所有没有错误的证书。
然而,当我尝试将这些放入 google 负载均衡器时,它拒绝接受生成的证书。我正在输入:
certs/client.crt
到“public 密钥证书”字段
certs/client.pem
到“证书链”字段
certs/server.key
到“私钥”字段
您可以将自签名证书用于后端服务。您不能将自签名证书用于前端服务。
Google 云 HTTP 负载均衡器只接受经过域验证或更高级别的 SSL 证书。
不要混淆自管理 和自签名 证书。
Self-managed and Google-managed SSL certificates
您问题中的错误信息表示您导入了错误的私钥。您还有另一个错误 VALIDITY=3650
。 Public 面对SSL证书不能超过825天(我觉得现在的做法是398天),几乎所有的厂商都不会颁发超过365天的证书。对于有效期超过 365 天的证书,需要在证书上附加更多详细信息。
openssl
ssl-certificate
google-cloud-platform
google-cloud-load-balancer
google-cloud-http-load-balancer
我想创建一个自签名证书用于 Google Loadbalancer,我编写了以下脚本来准备它:
#!/bin/bash
FQDN=*.domain.net
SUBJ="/C=CZ/ST=Country/L=City/O=Authority/CN=$FQDN"
VALIDITY=3650
# make directories to work from
mkdir -p certs
# generate self signed root CA cert
openssl req -nodes -x509 -newkey rsa:2048 -keyout certs/ca.key -out certs/ca.crt -subj $SUBJ
# generate server cert to be signed
openssl req -nodes -newkey rsa:2048 -keyout certs/server.key -out certs/server.csr -subj $SUBJ
# sign the server cert
openssl x509 -req -in certs/server.csr -CA certs/ca.crt -CAkey certs/ca.key -CAcreateserial -out certs/server.crt
# create server PEM file
cat certs/server.key certs/server.crt > certs/server.pem
# generate client cert to be signed
openssl req -nodes -newkey rsa:2048 -days $VALIDITY -keyout certs/client.key -out certs/client.csr -subj $SUBJ
# sign the client cert
openssl x509 -req -in certs/client.csr -CA certs/ca.crt -CAkey certs/ca.key -CAserial certs/ca.srl -out certs/client.crt
# create client PEM file
cat certs/client.key certs/client.crt > certs/client.pem
这可以正常工作并生成所有没有错误的证书。
然而,当我尝试将这些放入 google 负载均衡器时,它拒绝接受生成的证书。我正在输入:
certs/client.crt
到“public 密钥证书”字段certs/client.pem
到“证书链”字段certs/server.key
到“私钥”字段
您可以将自签名证书用于后端服务。您不能将自签名证书用于前端服务。
Google 云 HTTP 负载均衡器只接受经过域验证或更高级别的 SSL 证书。
不要混淆自管理 和自签名 证书。
Self-managed and Google-managed SSL certificates
您问题中的错误信息表示您导入了错误的私钥。您还有另一个错误 VALIDITY=3650
。 Public 面对SSL证书不能超过825天(我觉得现在的做法是398天),几乎所有的厂商都不会颁发超过365天的证书。对于有效期超过 365 天的证书,需要在证书上附加更多详细信息。