Nosql

將真實證書與 rethinkdb 證書鏈捆綁一起使用

  • September 19, 2018

我知道 rethinkdb 指南以自簽名證書為例。如果我想使用我購買的真實證書,如何將捆綁包添加到伺服器配置中?我將購買的證書和密鑰添加到配置中:

driver-tls-key=/etc/ssl/star.cert.key
driver-tls-cert=/etc/ssl/star.cert.crt

Openssl s_client 給了我以下

Verify return code: 21 (unable to verify the first certificate)

以此作為證書鏈:

depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.s0nr.co
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.s0nr.co
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.s0nr.co
  i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA

如何正確使用此證書?

傻我。我缺少**–driver-tls-ca**選項。我在 rethinkdb 手冊(man rethinkdb)中找到了它。

TLS options:

 --http-tls-key key_filename                 private key to use for web
                                             administration console TLS
 --http-tls-cert cert_filename               certificate to use for web
                                             administration console TLS
 --driver-tls-key key_filename               private key to use for client driver
                                             connection TLS
 --driver-tls-cert cert_filename             certificate to use for client driver
                                             connection TLS
 --driver-tls-ca ca_filename                 CA certificate bundle used to verify
                                             client certificates; TLS client
                                             authentication disabled if omitted
 --cluster-tls-key key_filename              private key to use for intra-cluster
                                             connection TLS
 --cluster-tls-cert cert_filename            certificate to use for intra-cluster
                                             connection TLS
 --cluster-tls-ca ca_filename                CA certificate bundle used to verify
                                             cluster peer certificates

我將它設置在我的 rethinkdb 實例 conf 文件中:

# TLS stuff
driver-tls-key=/etc/ssl/star.cert.key
driver-tls-cert=/etc/ssl/star.cert.crt
driver-tls-ca=/etc/ssl/star.cert.ca-bundle

一切都按預期工作。openssl s_client 返回正確的 0(ok)程式碼。

編輯說明: 雖然使用 rethinkdb 轉儲實用程序,但它看起來沒有 ca 選項,所以我無論如何都不能使用真正的證書。

引用自:https://dba.stackexchange.com/questions/217802