x509:无法验证ip的证书,因为它不包含任何ip SAN

sczxawaw  于 2021-06-04  发布在  Kafka
关注(0)|答案(0)|浏览(483)

我正在尝试配置linux机器上的filebeat与aws中ec2上的kafka之间的ssl连接。
我创建密钥库时使用了:

keytool -genkey -keystore kafka.server.keystore.jks -validity 365 -storepass $SRVPASS -keypass $SRVPASS  -dname "CN=my-ec2-node.compute-1.amazonaws.com" -storetype pkcs12 -keyalg RSA -ext SAN=dns:my-ec2-node.compute-1.amazonaws.com;

之后,我创建了认证请求文件:

keytool -keystore kafka.server.keystore.jks -certreq -file cert-request -storepass $SRVPASS -keypass $SRVPASS  -keyalg RSA -ext SAN=dns:my-ec2-node.compute-1.amazonaws.com

我将请求发送到我创建的本地ca:

openssl x509 -req -CA /root/ca/ca-cert -CAkey /root/ca/ca-key -in /root/kafka-ssl/cert-request -out /root/kafka-ssl/cert-signed -days 365 -CAcreateserial -passin pass:$SRVPASS;

在此步骤之前,如果我尝试查看密钥库的内容,我将能够看到其中的dns记录:

keytool -list -v -keystore kafka.server.keystore.jks

# 1: ObjectId: 2.5.29.17 Criticality=false

SubjectAlternativeName [
  IPAddress: x.x.x.x
  DNSName: my-ec2-node.compute-1.amazonaws.com
]

将ca证书导入密钥库后,subjectalternativename不再出现在密钥库中:

keytool -keystore kafka.server.keystore.jks -import -file cert-signed -storepass $SRVPASS -keypass $SRVPASS -noprompt -keyalg RSA -ext SAN=dns:my-ec2-node.compute-1.amazonaws.com;

我还添加了签名证书:

keytool -keystore kafka.server.keystore.jks -import -file cert-signed -storepass $SRVPASS -keypass $SRVPASS -noprompt -keyalg RSA -ext SAN=dns:my-ec2-node.compute-1.amazonaws.com;

我配置了kafka和filebeat,并将ca公钥(ca cert)复制到filebeat机器。此外,我还在这两台计算机中添加了/etc/hosts中的下一条记录:

x.x.x.x my-ec2-node.compute-1.amazonaws.com

现在我在filebeat机器上遇到以下错误:

2020-04-20T11:40:26.788Z        INFO    kafka/log.go:53 Connected to broker at my-ec2-node.compute-1.amazonaws.com:9093 (unregistered)

2020-04-20T11:40:26.997Z        INFO    kafka/log.go:53 client/brokers registered new broker #0 at x.x.x.x:9093
2020-04-20T11:40:26.997Z        INFO    kafka/log.go:53 kafka message: client/metadata found some partitions to be leaderless
2020-04-20T11:40:26.997Z        INFO    kafka/log.go:53 client/metadata retrying after 250ms... (2 attempts remaining)

2020-04-20T11:40:27.247Z        INFO    kafka/log.go:53 client/metadata fetching metadata for [filebeat] from broker my-ec2-node.compute-1.amazonaws.com:9093

2020-04-20T11:40:27.398Z        INFO    kafka/log.go:53 producer/broker/0 starting up

2020-04-20T11:40:27.730Z        INFO    kafka/log.go:53 Failed to connect to broker x.x.x.x:9093: x509: cannot validate certificate for x.x.x.x because it doesn't contain any IP SANs

2020-04-20T11:40:27.730Z        INFO    kafka/log.go:53 producer/broker/0 state change to [closing] because x509: cannot validate certificate for x.x.x.x because it doesn't contain any IP SANs

2020-04-20T11:40:27.731Z        INFO    kafka/log.go:53 producer/broker/0 state change to [closing] because x509: cannot validate certificate for x.x.x.x because it doesn't contain any IP SANs

我可以上传kafka,filebeat配置,但我认为它与ssl认证有关。我也试着在-ext标志中提到ip,但也没用。我的假设是,将ca公钥添加到密钥库会导致这种情况,但不确定如何保留它。
我错过了什么?

暂无答案!

目前还没有任何答案,快来回答吧!

我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备13028337号-1 大数据知识库 https://www.saoniuhuo.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com