ssl Terraform自签名证书会导致“Dial x509：redli的“证书由未知授权机构签名

6yjfywim 于 2023-01-21 发布在其他

关注(0)|答案(1)|浏览(153)

我在Terraform的测试环境中生成了一个自签名证书来保护Redis容器连接：
以下是我的资源：

resource "tls_private_key" "private_key" {
  algorithm = "RSA"
}

resource "tls_self_signed_cert" "signed_cert" {
  private_key_pem       = tls_private_key.private_key.private_key_pem
  ip_addresses          = ["0.0.0.0", "127.0.0.1"]
  validity_period_hours = 6
  early_renewal_hours   = 1

  subject {
    organization = "example"
  }

  allowed_uses = [
    "key_encipherment",
    "digital_signature",
    "server_auth",
    "client_auth",
    "cert_signing"
  ]
}

下面是我的Dockerfile：

FROM redis:alpine

RUN apk update && apk add ca-certificates && update-ca-certificates

COPY ./redis.conf /etc/redis.conf

COPY ./redis.crt /redis.crt

COPY ./redis.key /redis.key

CMD ["redis-server", "/etc/redis.conf"]

下面是我的redis.conf文件：

requirepass "password"
port 0
tls-port 6379
tls-cert-file /redis.crt
tls-ca-cert-file /redis.crt
tls-key-file /redis.key

我对tls-ca-cert-file和tls-cert-file使用相同的文件，因为这是一个自签名证书，并且redis要求设置tls-ca-cert-file。
现在，当我尝试使用redli登录时，出现以下错误：

$ redli -a "password" --tls
... Dial x509: certificate signed by unknown authority

我错过了什么？
我还尝试使用redli的--skipverify标志，但没有结果：

$ redli -a password --tls --skipverify
... Dial remote error: tls: certificate required

ssl

来源：https://stackoverflow.com/questions/75162687/terraform-self-signed-certificate-results-in-dial-x509-certificate-signed-by-u

1条答案

按热度按时间

yjghlzjz1#

事实证明，Redis by default accepts only mutual authentication .
为了解决这个问题，我在redis.conf文件中添加了tls-auth-clients no。
我还更新了如何从Terraform生成证书：

resource "tls_private_key" "ca_private_key" {
  algorithm = "RSA"
}

resource "tls_private_key" "cert_private_key" {
  algorithm = "RSA"
}

resource "tls_self_signed_cert" "ca_cert" {
  # Five days should be enough for a PR
  validity_period_hours = 120
  early_renewal_hours   = 1
  is_ca_certificate     = true
  private_key_pem       = tls_private_key.ca_private_key.private_key_pem

  allowed_uses = [
    "cert_signing",
    "digital_signature"
  ]

  subject {
    common_name  = "previews_ca"
    organization = "Example"
  }
}

resource "tls_cert_request" "cert_request" {
  private_key_pem = tls_private_key.cert_private_key.private_key_pem
  ip_addresses    = ["0.0.0.0", "127.0.0.1"]
  dns_names       = ["*.${var.region}.compute.amazonaws.com"]

  subject {
    common_name  = "previews"
    organization = "Example"
  }
}

resource "tls_locally_signed_cert" "cert" {
  # Five days should be enough for a PR
  validity_period_hours = 120
  early_renewal_hours   = 1
  cert_request_pem      = tls_cert_request.cert_request.cert_request_pem
  ca_private_key_pem    = tls_private_key.ca_private_key.private_key_pem
  ca_cert_pem           = tls_self_signed_cert.ca_cert.cert_pem

  allowed_uses = [
    "server_auth",
    "digital_signature"
  ]
}

locals {
  tls_cert_private_key = tls_private_key.cert_private_key.private_key_pem
  tls_cert             = tls_locally_signed_cert.cert.cert_pem
  tls_ca_cert          = ls_self_signed_cert.ca_cert.cert_pem
}

现在我可以正确地连接redli：

$ redli -a password  --tls --skipverify -h foo.eu-west-1.compute.amazonaws.com
Connected to 7.0.8
> ping
PONG

请查看--skipverify标志。由于ca授权，需要该标志：

$ redli -a passwowrd  --tls -h foo.eu-west-1.compute.amazonaws.com
2023/01/20 14:15:11 Dial x509: certificate signed by unknown authority

如果我想接受ca授权，我必须运行：

# trust anchor ca.crt

但是在我的Arch Linux中，在你的机器中，它可能是其他的东西。
在我的例子中，我为每个由github操作生成的EC2生成一个证书，该操作在PR打开时运行，因此我不能将每个证书添加到可信存储区。
我的docker-compose.yaml文件：

services:
  redis:
      container_name: preview_redis
      image: redis:alpine
      command: /etc/redis.conf
      volumes:
        - ./tls:/tls
        - ./redis.conf:/etc/redis.conf
      ports:
        - 6379:6379

我的redis.conf文件：

requirepass "password"
port 0
tls-port 6379
tls-cert-file /tls/redis.crt
tls-key-file /tls/redis.key
tls-ca-cert-dir /tls/ca.crt
tls-auth-clients no

赞(0）回复(0）举报 2023-01-21

我来回答

ssl Terraform自签名证书会导致“Dial x509：redli的“证书由未知授权机构签名

1条答案

相关问题

热门标签

最新问答