Closed oceanqdu closed 3 months ago
你好,你的openssl 版本是多少?
你好,你的openssl 版本是多少?
@aokaokd 我是在capsule-manager容器和capsule-manager-sdk容器中生成的tls证书,capsule-manager容器中版本号是
(base) root@ubuntu:/home/admin# openssl version
OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)
capsule-manager-sdk容器中版本号为
(capsule-manager-sdk) root@ubuntu:/home/data# openssl version
OpenSSL 3.0.14 4 Jun 2024 (Library: OpenSSL 3.0.14 4 Jun 2024)
# 生成服务器 CA 证书
openssl req -nodes -x509 -sha256 -newkey rsa:3072 \
-keyout capsule-manager/resources/server_ca_key.key \
-out capsule-manager/resources/server_ca_cert.crt \
-days 365 \
-subj "/C=NL/ST=Zuid Holland/L=Rotterdam/O=ACME Corp/OU=IT Dept/CN=server-ca"
# 生成客户端 CA 证书
openssl req -nodes -x509 -sha256 -newkey rsa:3072 \
-keyout capsule-manager/resources/client_ca_key.key \
-out capsule-manager/resources/client_ca_cert.crt \
-days 365 \
-subj "/C=NL/ST=Zuid Holland/L=Rotterdam/O=ACME Corp/OU=IT Dept/CN=client-ca"
enable_tls: true
server_cert_path: capsule-manager/resources/server_cert.crt
server_cert_key_path: capsule-manager/resources/server_key.key
client_ca_cert_path: capsule-manager/resources/client_ca_cert.crt
@aokaokd 我在开启服务的时候已经执行了 /
(base) root@localhost:/home/admin# ./capsule_manager --server-cert-key-path /home/admin/resources/candy_server_key.key \
--server-cert-path /home/admin/resources/candy_server_cert.crt \
--client-ca-cert-path /home/admin/resources/client_ca --port 9999
服务显示
(base) root@localhost:/home/admin# ./capsule_manager --server-cert-key-path /home/admin/resources/candy_server_key.key \
--server-cert-path /home/admin/resources/candy_server_cert.crt \
--client-ca-cert-path /home/admin/resources/client_ca --port 9999
config Config {
port: Some(
9999,
),
log_config: LogConfig {
log_dir: Some(
"log",
),
log_level: Some(
"info",
),
enable_console_logger: Some(
true,
),
},
scheme: Some(
"RSA",
),
storage_backend: Some(
"inmemory",
),
server_cert_path: Some(
"/home/admin/resources/candy_server_cert.crt",
),
server_cert_key_path: Some(
"/home/admin/resources/candy_server_key.key",
),
client_ca_cert_path: Some(
"/home/admin/resources/client_ca",
),
enable_tls: Some(
true,
),
mode: Some(
"simulation",
),
}
ST, HZ
O, AntGroup
OU, SecretFlow
C, CN
L, HZ
CN, CapsuleManager
[2024-07-11T07:23:47.933962192+00:00] [capsule_manager] [INFO] Server run at: 0.0.0.0:9999 mode Some("simulation")
这一步是不是已经自动修改了config文件,而不是使用了config.yaml? 我按照你给的例子在capsule_manager容器中执行了上述命令,生成了服务器 CA 证书和客户端 CA 证书,同时修改了config.yaml如下
# Copyright 2023 Ant Group Co., Ltd.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
port: 9999 # port
log_config:
log_dir: /home/admin/log # log file path
log_level: info # log level: info/debug/warn/error
enable_console_logger: true # Whether the log can be printed in the terminal
scheme: "RSA" # Asymmetric key generation method, SM2/RSA
storage_backend: "inmemory" # backend storage, inmemory/remote
server_cert_path: "/home/admin/resources/server_ca_cert.crt" # path for the Server Certificate
server_cert_key_path: "/home/admin/resources/server_ca_key.key" # path for the Server Key
client_ca_cert_path: "/home/admin/resources/client_ca_cert.crt" # directory for the Client CA Certificate
enable_tls: true # enable tls
执行
(base) root@localhost:/home/admin# ./capsule_manager --server-cert-key-path /home/admin/resources/candy_server_key.key \
--server-cert-path /home/admin/resources/candy_server_cert.crt \
--client-ca-cert-path /home/admin/resources/client_ca --port 9999
服务显示
(base) root@localhost:/home/admin# ./capsule_manager --server-cert-key-path /home/admin/resources/candy_server_key.key \
--server-cert-path /home/admin/resources/candy_server_cert.crt \
--client-ca-cert-path /home/admin/resources/client_ca --port 9999
config Config {
port: Some(
9999,
),
log_config: LogConfig {
log_dir: Some(
"log",
),
log_level: Some(
"info",
),
enable_console_logger: Some(
true,
),
},
scheme: Some(
"RSA",
),
storage_backend: Some(
"inmemory",
),
server_cert_path: Some(
"/home/admin/resources/candy_server_cert.crt",
),
server_cert_key_path: Some(
"/home/admin/resources/candy_server_key.key",
),
client_ca_cert_path: Some(
"/home/admin/resources/client_ca",
),
enable_tls: Some(
true,
),
mode: Some(
"simulation",
),
}
ST, HZ
O, AntGroup
OU, SecretFlow
C, CN
L, HZ
CN, CapsuleManager
[2024-07-11T07:23:47.933962192+00:00] [capsule_manager] [INFO] Server run at: 0.0.0.0:9999 mode Some("simulation")
再次执行还是同样的问题,没有解决。 能否指出一下我的哪一步有问题
好的,你的openssl服务端和客户端小版本不一致,确保一致后再试下呢
@aokaokd capsule-manager和capsule-manager-sdk这两个镜像都是根据文档中下载的,https://www.secretflow.org.cn/zh-CN/docs/trustedflow/0.3.0b0/quick_start/step2 也有openssl版本的问题吗?,请问一下你们在测试的时候所用的openssl版本能提供一下吗?或者能否提供一个使用自签名的简易教程? 使用上述自签名证书的方式,我是是可以在secretflow中成功实现tls通讯的。
@aokaokd 小版本一致后,也是有这个问题
场景:在一台机器里使用仿真模式部署CapsuleManager并启用,同时在同一台机器中,使用仿真模式启用了capsule-manager-sdk容器
并在该容器中上传密钥。 不开启tls模式时,在capsule-manager-sdk容器中可以成功上传密钥,当开启tls时,发生以下错误:
以下是我开启tls的执行步骤: 1.首先为capsule-manager生成自签名证书生成脚本如下:
得到candy_server_key.key以及 candy_server_cert.crt 文件 2.在capsule-manager-sdk容器中生成自签名证书,脚本如下:
得到alice_server_key.key以及 alice_server_cert.crt 文件 3.将capsule-manager-sdk容器中生成的alice_server_cert.crt与capsule-manager中生成的 candy_server_cert.crt 进行交换 4.在capsule-manager容器中执行以下命令
成功开启服务
5.修改alice.yaml文件 tls配置如下:
并执行上传命令cms --config-file alice.yaml register-data-keys 出现上述错误