Open tzfun opened 1 week ago
@leaf-rain 经过测试我复现了你的问题,猜测是你的证书生成时没有配置正确的 ip,通过docker容器连接etcd时如果ip不在证书列表中会出现以下错误提示
{"level":"warn","ts":"2024-09-10T18:47:18.252+0800","caller":"embed/config_logging.go:169","msg":"rejected connection","remote-addr":"192.168.0.161:54921","server-name":"","error":"remote error: tls: unknown certificate"}
例如运行了etcd-workbenc的docker容器ip是 192.168.0.161
,生成etcd证书时需要将此ip加入到ip列表中,以下是我的测试生成证书脚本,仅供参考
#!/bin/bash -x
export NAME1=etcd01
export ADDRESS1=192.168.0.161
days=3650
cat > openssl.conf << EOF
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = $NAME1
IP.1 = 127.0.0.1
IP.2 = $ADDRESS1
EOF
# 准备 CA 证书
[ -f ca.key ] || openssl genrsa -out ca.key 2048
[ -f ca.crt ] || openssl req -x509 -new -nodes -key ca.key -subj "/CN=etcd-ca" -days ${days} -out ca.crt
# 创建 etcd client 证书
[ -f client.key ] || openssl genrsa -out client.key 2048
[ -f client.csr ] || openssl req -new -key client.key -subj "/CN=etcd-client" -out client.csr -config openssl.conf
[ -f client.crt ] || openssl x509 -req -sha256 -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days ${days} -extensions v3_req -extfile openssl.conf
# 创建 etcd 集群 peer 间证书
[ -f peer.key ] || openssl genrsa -out peer.key 2048
[ -f peer.csr ] || openssl req -new -key peer.key -subj "/CN=etcd-peer" -out peer.csr -config openssl.conf
[ -f peer.crt ] || openssl x509 -req -sha256 -in peer.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out peer.crt -days ${days} -extensions v3_req -extfile openssl.conf
配置好证书之后重新启动 etcd 再次连接就可以了
哦哦,好的,麻烦大佬了,我之后再看一下,因为这个etcd是用rancher配置集群的时候自生成的证书,我再研究一下看这个证书的生成方式。
在我的场景里通常不会直连etcd,你可以尝试一下ssh tunnel选项,通过ssh到证书允许的主机来转发连接
我这边碰上一个问题,我这边用密钥这些貌似无法登陆,docker的最新版本。 但是我本地执行etcdctl --cacert=/home/rain/soft/etcd/cacrt/server-ca.crt --cert=/home/rain/soft/etcd/cacrt/client.crt --key=/home/rain/soft/etcd/cacrt/client.key --endpoints=https://127.0.0.1:2379 put k ey value 是没有问题的,不知道大佬有没有碰上过
Originally posted by @leaf-rain in https://github.com/tzfun/etcd-workbench/issues/35#issuecomment-2340017180