"x509: certificate is not valid for any names" 尽管 openssl 显示正确
"x509: certificate is not valid for any names" despite openssl shows correct
我正在按照 docker 一书使用 SSL 配置 Docker 引擎 API,这是整个过程:
# CA
echo 01 | sudo tee ca.srl
sudo openssl genrsa -des3 -out ca-key.pem
sudo openssl req -new -x509 -days 365 -key ca-key.pem -out ca.pem -subj "/CN=localhost"
# Server key
sudo openssl genrsa -des3 -out server-key.pem
sudo openssl req -new -key server-key.pem -out server.csr -subj "/CN=localhost"
# Server cert
echo subjectAltName = IP:x.x.x.x,IP:127.0.0.1 > extfile.cnf
sudo openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem -out server-cert.pem -extfile extfile.cnf
sudo openssl rsa -in server-key.pem -out server-key.pem
udo chmod 0600 /etc/docker/server-key.pem /etc/docker/server-cert.pem /etc/docker/ca-key.pem /etc/docker/ca.pem
# Client key
sudo openssl genrsa -des3 -out client-key.pem
sudo openssl req -new -key client-key.pem -out client.csr -subj "/CN=localhost"
# Client cert
echo extendedKeyUsage = clientAuth > extfile.cnf
sudo openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem -out client-cert.pem -extfile extfile.cnf
sudo openssl rsa -in client-key.pem -out client-key.pem
# Running docker engine
dockerd --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem
-H=0.0.0.0:2376
# Client
docker -H localhost:2376 --tlsverify --tlscacert=ca.pem --tlscert=client-cert.pem --tlskey=client-key.pem info
# Output
Client:
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc., v0.7.1-docker)
Server:
ERROR: error during connect: Get "https://localhost:2376/v1.24/info": x509: certificate is not valid for any names, but wanted to match localhost
errors pretty printing info
并且证书从 OpenSSL 看起来绝对正确
$ openssl x509 -noout -subject -in client-cert.pem
subject=CN = localhost
我尝试了使用 localhost 以及使用带有域名的 VPS,但都不成功。
感谢@dave_thompson_085
要解决这个问题,我还需要将 DNS 名称添加到 SAN,所以
echo subjectAltName = DNS:xxx,IP:x.x.x.x,IP:127.0.0.1 > extfile.cnf
将解决问题
我正在按照 docker 一书使用 SSL 配置 Docker 引擎 API,这是整个过程:
# CA
echo 01 | sudo tee ca.srl
sudo openssl genrsa -des3 -out ca-key.pem
sudo openssl req -new -x509 -days 365 -key ca-key.pem -out ca.pem -subj "/CN=localhost"
# Server key
sudo openssl genrsa -des3 -out server-key.pem
sudo openssl req -new -key server-key.pem -out server.csr -subj "/CN=localhost"
# Server cert
echo subjectAltName = IP:x.x.x.x,IP:127.0.0.1 > extfile.cnf
sudo openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem -out server-cert.pem -extfile extfile.cnf
sudo openssl rsa -in server-key.pem -out server-key.pem
udo chmod 0600 /etc/docker/server-key.pem /etc/docker/server-cert.pem /etc/docker/ca-key.pem /etc/docker/ca.pem
# Client key
sudo openssl genrsa -des3 -out client-key.pem
sudo openssl req -new -key client-key.pem -out client.csr -subj "/CN=localhost"
# Client cert
echo extendedKeyUsage = clientAuth > extfile.cnf
sudo openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem -out client-cert.pem -extfile extfile.cnf
sudo openssl rsa -in client-key.pem -out client-key.pem
# Running docker engine
dockerd --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem
-H=0.0.0.0:2376
# Client
docker -H localhost:2376 --tlsverify --tlscacert=ca.pem --tlscert=client-cert.pem --tlskey=client-key.pem info
# Output
Client:
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc., v0.7.1-docker)
Server:
ERROR: error during connect: Get "https://localhost:2376/v1.24/info": x509: certificate is not valid for any names, but wanted to match localhost
errors pretty printing info
并且证书从 OpenSSL 看起来绝对正确
$ openssl x509 -noout -subject -in client-cert.pem
subject=CN = localhost
我尝试了使用 localhost 以及使用带有域名的 VPS,但都不成功。
感谢@dave_thompson_085
要解决这个问题,我还需要将 DNS 名称添加到 SAN,所以
echo subjectAltName = DNS:xxx,IP:x.x.x.x,IP:127.0.0.1 > extfile.cnf
将解决问题