Văd mai jos un mesaj de eroare când este pornit serverul kube-apiserver systemd.
nu poate valida certificat pentru 192.168.101.101 deoarece nu conține nici un IP SAN ". Reconectarea ...
Următorii sunt parametrii dați pentru binarul kube-apiserver.
kube_apiserver_params:
Toate certificatele sunt create folosind mai jos openssl co nfigurare.
# cat /etc/openssl/node.conf
[req]
req_extensions = req_ext
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
IP.1 = 192.168.101.101
[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=critical,CA:FALSE
keyUsage=critical,nonRepudiation,digitalSignature,keyEncipherment
extendedKeyUsage=clientAuth,serverAuth
subjectKeyIdentifier=hash
Ieșirea fișierului apiserver.pem.
# openssl x509 -noout -text -in apiserver.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
f0:64:2c:27:6e:24:b1:15
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = IN, ST = KA, L = Bangalore, O = NA, OU = MN, CN = ABCD
Validity
Not Before: May 6 21:48:04 2019 GMT
Not After : May 4 21:48:04 2024 GMT
Subject: CN = system:apiserver
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bd:4f:a9:ca:b4:0e:5c:99:d0:9e:8d:94:aa:85:
3b:ea:4b:74:2a:41:f1:ea:37:87:a4:1a:6b:89:00:
aa:c8:03:c8:cf:34:15:de:21:f6:26:6c:92:b2:5f:
5b:d9:0d:4f:f9:1f:67:1d:4b:6e:3d:84:76:60:28:
be:0d:33:64:92:3c:0b:ee:bd:4d:bd:3b:9a:1e:3d:
87:a8:3d:87:ae:d3:ea:ab:24:dc:46:6c:1d:99:72:
fc:4c:ca:89:fb:9d:68:9d:0a:2e:81:4e:b0:d4:c9:
47:96:60:22:e4:46:47:5f:f5:78:e0:34:15:b6:9e:
cd:b5:e1:4a:fc:5d:1d:2d:0b:b9:c2:cb:5c:71:50:
2b:9c:48:53:65:5b:70:af:04:c6:b7:ca:80:f7:f7:
b1:ee:ce:dc:ae:c4:28:d9:45:b0:87:2f:aa:92:84:
1c:5a:4e:e7:e8:23:c1:b0:63:a0:89:70:67:45:bc:
20:1a:8b:8b:8f:81:54:95:ae:8e:b1:4c:95:1c:15:
a1:52:c7:d1:a1:63:4a:8c:8e:c3:8d:ea:b6:40:e1:
cf:c8:13:90:ca:40:fc:60:f1:20:9e:85:b9:1a:45:
f7:08:eb:1a:f9:a6:f4:f9:1c:b3:a5:b3:09:7f:72:
73:87:fa:93:03:e3:d2:5d:ec:76:75:d2:95:af:76:
95:c1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:27:77:CC:16:D1:C3:40:D3:E8:29:49:59:34:30:30:EE:F3:7E:3B:8E
DirName:/C=IN/ST=KA/L=Bangalore/O=NA/OU=MN/CN=ABCD
serial:3A:1E:45:AB:A4:0E:B9:C0:28:81:AA:77:44:FF:4C:27:3D:63:0E:4F
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Subject Key Identifier:
4C:8E:91:B4:1F:A2:88:F8:4D:D5:F9:CE:2B:AA:07:7F:5D:95:F9:18
Signature Algorithm: sha256WithRSAEncryption
84:86:82:78:53:a7:f2:6a:a1:21:2b:d5:53:26:2d:c7:33:17:
7a:d4:33:70:be:36:50:42:aa:a0:52:5a:91:1d:0c:c2:31:72:
11:0b:56:31:27:c5:fa:dc:99:de:9d:db:02:69:5a:37:7c:0c:
8d:b9:7d:3d:75:c8:69:18:32:db:3a:f4:82:c1:3e:7e:e6:b5:
fc:0f:3b:bd:e3:0f:1c:b0:e2:33:fe:e4:99:e7:df:9a:1e:68:
41:8e:b0:16:56:18:8b:7c:14:50:d5:08:ec:96:61:03:55:19:
51:48:8d:17:a0:b9:90:6e:e3:ca:c7:de:75:b5:22:84:f2:4d:
0e:e4:c6:fa:4e:25:f5:20:68:03:ae:5c:43:a8:ce:9e:0e:fe:
e0:c7:ab:16:f1:87:fc:a9:d3:4a:f6:41:90:51:f7:57:01:34:
6f:aa:8f:a4:5d:9c:4c:1e:8d:97:8f:e7:66:5c:3e:dd:b3:83:
f0:84:74:26:37:8b:c4:e2:a6:66:89:ef:db:30:8e:1f:4b:85:
ee:0a:52:46:0c:50:6f:8e:97:68:89:63:60:0e:cc:e6:f2:73:
e8:f4:16:34:37:c3:3e:63:d2:7d:c7:cb:2d:1f:ae:05:e0:30:
0d:ea:af:6a:0f:89:35:cc:1f:6a:af:2b:19:5a:eb:45:1b:24:
b2:ad:fc:71
Nu am multe cunoștințe despre generarea certificatelor și este prima dată când configurez, Ar putea cineva să clarifice ce îmi lipsește?
Фактически, ваш сертификат не имеет расширения subjectAltName (в разделе «Расширения X509v3»). Вы ссылаетесь на раздел alt_names
в разделе v3_req
в openssl.cnf
, который может или не может быть эффективным, в зависимости от того, как вы создавали сертификат. . Я бы посоветовал найти лучший источник инструкций по созданию сертификата, содержащего расширение subjectAltName.