ssl Terraform自签名证书会导致“Dial x509:redli的“证书由未知授权机构签名

6yjfywim  于 2023-01-21  发布在  其他
关注(0)|答案(1)|浏览(152)

我在Terraform的测试环境中生成了一个自签名证书来保护Redis容器连接:
以下是我的资源:

resource "tls_private_key" "private_key" {
  algorithm = "RSA"
}

resource "tls_self_signed_cert" "signed_cert" {
  private_key_pem       = tls_private_key.private_key.private_key_pem
  ip_addresses          = ["0.0.0.0", "127.0.0.1"]
  validity_period_hours = 6
  early_renewal_hours   = 1

  subject {
    organization = "example"
  }

  allowed_uses = [
    "key_encipherment",
    "digital_signature",
    "server_auth",
    "client_auth",
    "cert_signing"
  ]
}

下面是我的Dockerfile

FROM redis:alpine

RUN apk update && apk add ca-certificates && update-ca-certificates

COPY ./redis.conf /etc/redis.conf

COPY ./redis.crt /redis.crt

COPY ./redis.key /redis.key

CMD ["redis-server", "/etc/redis.conf"]

下面是我的redis.conf文件:

requirepass "password"
port 0
tls-port 6379
tls-cert-file /redis.crt
tls-ca-cert-file /redis.crt
tls-key-file /redis.key

我对tls-ca-cert-filetls-cert-file使用相同的文件,因为这是一个自签名证书,并且redis要求设置tls-ca-cert-file
现在,当我尝试使用redli登录时,出现以下错误:

$ redli -a "password" --tls
... Dial x509: certificate signed by unknown authority

我错过了什么?
我还尝试使用redli--skipverify标志,但没有结果:

$ redli -a password --tls --skipverify
... Dial remote error: tls: certificate required
yjghlzjz

yjghlzjz1#

事实证明,Redis by default accepts only mutual authentication .
为了解决这个问题,我在redis.conf文件中添加了tls-auth-clients no
我还更新了如何从Terraform生成证书:

resource "tls_private_key" "ca_private_key" {
  algorithm = "RSA"
}

resource "tls_private_key" "cert_private_key" {
  algorithm = "RSA"
}

resource "tls_self_signed_cert" "ca_cert" {
  # Five days should be enough for a PR
  validity_period_hours = 120
  early_renewal_hours   = 1
  is_ca_certificate     = true
  private_key_pem       = tls_private_key.ca_private_key.private_key_pem

  allowed_uses = [
    "cert_signing",
    "digital_signature"
  ]

  subject {
    common_name  = "previews_ca"
    organization = "Example"
  }
}

resource "tls_cert_request" "cert_request" {
  private_key_pem = tls_private_key.cert_private_key.private_key_pem
  ip_addresses    = ["0.0.0.0", "127.0.0.1"]
  dns_names       = ["*.${var.region}.compute.amazonaws.com"]

  subject {
    common_name  = "previews"
    organization = "Example"
  }
}

resource "tls_locally_signed_cert" "cert" {
  # Five days should be enough for a PR
  validity_period_hours = 120
  early_renewal_hours   = 1
  cert_request_pem      = tls_cert_request.cert_request.cert_request_pem
  ca_private_key_pem    = tls_private_key.ca_private_key.private_key_pem
  ca_cert_pem           = tls_self_signed_cert.ca_cert.cert_pem

  allowed_uses = [
    "server_auth",
    "digital_signature"
  ]
}

locals {
  tls_cert_private_key = tls_private_key.cert_private_key.private_key_pem
  tls_cert             = tls_locally_signed_cert.cert.cert_pem
  tls_ca_cert          = ls_self_signed_cert.ca_cert.cert_pem
}

现在我可以正确地连接redli

$ redli -a password  --tls --skipverify -h foo.eu-west-1.compute.amazonaws.com
Connected to 7.0.8
> ping
PONG

请查看--skipverify标志。由于ca授权,需要该标志:

$ redli -a passwowrd  --tls -h foo.eu-west-1.compute.amazonaws.com
2023/01/20 14:15:11 Dial x509: certificate signed by unknown authority

如果我想接受ca授权,我必须运行:

# trust anchor ca.crt

但是在我的Arch Linux中,在你的机器中,它可能是其他的东西。
在我的例子中,我为每个由github操作生成的EC2生成一个证书,该操作在PR打开时运行,因此我不能将每个证书添加到可信存储区。
我的docker-compose.yaml文件:

services:
  redis:
      container_name: preview_redis
      image: redis:alpine
      command: /etc/redis.conf
      volumes:
        - ./tls:/tls
        - ./redis.conf:/etc/redis.conf
      ports:
        - 6379:6379

我的redis.conf文件:

requirepass "password"
port 0
tls-port 6379
tls-cert-file /tls/redis.crt
tls-key-file /tls/redis.key
tls-ca-cert-dir /tls/ca.crt
tls-auth-clients no

相关问题