Nosql
將真實證書與 rethinkdb 證書鏈捆綁一起使用
我知道 rethinkdb 指南以自簽名證書為例。如果我想使用我購買的真實證書,如何將捆綁包添加到伺服器配置中?我將購買的證書和密鑰添加到配置中:
driver-tls-key=/etc/ssl/star.cert.key driver-tls-cert=/etc/ssl/star.cert.crt
Openssl s_client 給了我以下
Verify return code: 21 (unable to verify the first certificate)
以此作為證書鏈:
depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.s0nr.co verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.s0nr.co verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.s0nr.co i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
如何正確使用此證書?
傻我。我缺少**–driver-tls-ca**選項。我在 rethinkdb 手冊(man rethinkdb)中找到了它。
TLS options: --http-tls-key key_filename private key to use for web administration console TLS --http-tls-cert cert_filename certificate to use for web administration console TLS --driver-tls-key key_filename private key to use for client driver connection TLS --driver-tls-cert cert_filename certificate to use for client driver connection TLS --driver-tls-ca ca_filename CA certificate bundle used to verify client certificates; TLS client authentication disabled if omitted --cluster-tls-key key_filename private key to use for intra-cluster connection TLS --cluster-tls-cert cert_filename certificate to use for intra-cluster connection TLS --cluster-tls-ca ca_filename CA certificate bundle used to verify cluster peer certificates
我將它設置在我的 rethinkdb 實例 conf 文件中:
# TLS stuff driver-tls-key=/etc/ssl/star.cert.key driver-tls-cert=/etc/ssl/star.cert.crt driver-tls-ca=/etc/ssl/star.cert.ca-bundle
一切都按預期工作。openssl s_client 返回正確的 0(ok)程式碼。
編輯說明: 雖然使用 rethinkdb 轉儲實用程序,但它看起來沒有 ca 選項,所以我無論如何都不能使用真正的證書。