search

tzfun / etcd-workbench

A beautiful and lightweight ETCD V3 client. Provides App and Web packages. Supports SSL and SSH Tunnel connections.
https://tzfun.github.io/etcd-workbench/
Apache License 2.0
66 stars 8 forks source link

在docker中无法通过 https 连接etcd #36

Open tzfun opened 1 week ago

tzfun commented 1 week ago

我这边碰上一个问题,我这边用密钥这些貌似无法登陆,docker的最新版本。 etcd 但是我本地执行etcdctl --cacert=/home/rain/soft/etcd/cacrt/server-ca.crt --cert=/home/rain/soft/etcd/cacrt/client.crt --key=/home/rain/soft/etcd/cacrt/client.key --endpoints=https://127.0.0.1:2379 put k ey value 是没有问题的,不知道大佬有没有碰上过

Originally posted by @leaf-rain in https://github.com/tzfun/etcd-workbench/issues/35#issuecomment-2340017180

tzfun commented 1 week ago

@leaf-rain 经过测试我复现了你的问题,猜测是你的证书生成时没有配置正确的 ip,通过docker容器连接etcd时如果ip不在证书列表中会出现以下错误提示

{"level":"warn","ts":"2024-09-10T18:47:18.252+0800","caller":"embed/config_logging.go:169","msg":"rejected connection","remote-addr":"192.168.0.161:54921","server-name":"","error":"remote error: tls: unknown certificate"}

例如运行了etcd-workbenc的docker容器ip是 192.168.0.161,生成etcd证书时需要将此ip加入到ip列表中,以下是我的测试生成证书脚本,仅供参考

#!/bin/bash -x

export NAME1=etcd01
export ADDRESS1=192.168.0.161

days=3650

cat > openssl.conf << EOF
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = $NAME1
IP.1 = 127.0.0.1
IP.2 = $ADDRESS1
EOF

# 准备 CA 证书
[ -f ca.key ] || openssl genrsa -out ca.key 2048
[ -f ca.crt ] || openssl req -x509 -new -nodes -key ca.key -subj "/CN=etcd-ca" -days ${days} -out ca.crt

# 创建 etcd client 证书
[ -f client.key ] || openssl genrsa -out client.key 2048
[ -f client.csr ] || openssl req -new -key client.key -subj "/CN=etcd-client" -out client.csr -config openssl.conf
[ -f client.crt ] || openssl x509 -req -sha256 -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days ${days} -extensions v3_req  -extfile openssl.conf

# 创建 etcd 集群 peer 间证书
[ -f peer.key ] || openssl genrsa -out peer.key 2048
[ -f peer.csr ] || openssl req -new -key peer.key -subj "/CN=etcd-peer" -out peer.csr -config openssl.conf
[ -f peer.crt ] || openssl x509 -req -sha256 -in peer.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out peer.crt -days ${days} -extensions v3_req  -extfile openssl.conf

配置好证书之后重新启动 etcd 再次连接就可以了

leaf-rain commented 1 week ago

哦哦,好的,麻烦大佬了,我之后再看一下,因为这个etcd是用rancher配置集群的时候自生成的证书,我再研究一下看这个证书的生成方式。

tzfun commented 1 week ago

在我的场景里通常不会直连etcd,你可以尝试一下ssh tunnel选项,通过ssh到证书允许的主机来转发连接