我有一个docker-compose,其中minio,minio/kes和vault一起说话。minio/kes和vault都需要TLS,我使用带IP地址的自签名方法为它们创建证书。我使用这个命令来生成证书:
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout server.key -out server.cert \
-subj "/C=/ST=/L=/O=/CN=localhost" -addext "subjectAltName = IP:127.0.0.1"下面是我docker-composed文件:
version: '3.7'
services:
minio:
image: minio/minio:RELEASE.2021-02-01T22-56-52Z
container_name: minio
restart: always
volumes:
- /home/zahra/docker/minio/data:/data
- /home/zahra/docker/kes/certs:/root/.minio/kes/certs
ports:
- "9003:9000"
expose:
- "9003"
environment:
MINIO_ROOT_USER: minio
MINIO_ROOT_PASSWORD: minio123
MINIO_KMS_KES_ENDPOINT: https://minio-kes:7373
MINIO_KMS_KES_CERT_FILE: /root/.minio/kes/certs/client.cert
MINIO_KMS_KES_KEY_FILE: /root/.minio/kes/certs/client.key
MINIO_KMS_KES_CA_PATH: /root/.minio/kes/certs/server.cert
MINIO_KMS_KES_KEY_NAME: test-key
MINIO_KMS_AUTO_ENCRYPTION: 1
command: server /data
healthcheck:
test: [ "CMD", "curl", "-f", "http://localhost:9000/minio/health/live" ]
interval: 30s
timeout: 20s
retries: 3
networks:
- minio-network
minio-kes:
image: minio/kes:v0.19.2
container_name: minio-kes
restart: always
volumes:
- /home/zahra/docker/kes/certs:/root/.kes/certs
- /home/zahra/docker/kes/config:/root/.kes/config
- /home/zahra/docker/vault/certs:/root/.kes/vault/certs
environment:
- KES_SERVER=https://minio-vault:7373
- KES_CLIENT_KEY=/root/.kes/certs/client.key
- KES_CLIENT_CERT=/root/.kes/certs/client.cert
ports:
- "7373:7373"
command: server --config=/root/.kes/config/config.yaml --auth=off
expose:
- "7373"
networks:
- minio-network
depends_on:
- minio-vault
minio-vault:
image: vault:latest
container_name: minio-vault
ports:
- "8200:8200"
volumes:
- /home/zahra/docker/vault/file:/vault/file
- /home/zahra/docker/vault/config:/vault/config
- /home/zahra/docker/vault/certs:/vault/certs
- /home/zahra/docker/vault/policy:/vault/policy
environment:
- VAULT_ADDR=https://127.0.0.1:8200
- VAULT_SKIP_VERIFY=true
- VAULT_TOKEN=MY-TOKEN
cap_add:
- IPC_LOCK
entrypoint: vault server -config=/vault/config/config.json
networks:
- minio-network
networks:
minio-network:
driver: bridge我的问题是在docker中,我必须使用容器名称而不是我的服务的IP地址,所以它给了我以下错误:x509:certificate is not valid for any names but wanted to match minio-kes或x509:certificate is not valid for any names but wanted to match minio-vault.
minio-kes和minio-kes是我的容器名。
在生成证书时,我尝试用容器的名称替换公共名称(CN),但还是不起作用。例如:
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout server.key -out server.cert \
-subj "/C=/ST=/L=/O=/CN=minio-kes" -addext "subjectAltName = IP:127.0.0.1"我不知道我应该如何生成证书,以便在docker中工作。
1条答案
按热度按时间6kkfgxo01#
如果使用域名进行连接,则必须将这些域名添加到证书中。这可以通过将
-addext "subjectAltName = DNS:minio-kes"添加到openssl命令来实现。一个证书可以对多个域名有效。只需多次添加该参数,即可向证书中添加多个域名。
另外see this answer了解更多详情。