主页 / dba / 问题 / 217802
Accepted
Mikey A. Leonetti
Asked: 2018-09-18 06:46:14 +0800 CST

将真实证书与 rethinkdb 证书链捆绑包一起使用

  • 772

我知道 rethinkdb 指南使用自签名证书作为示例。如果我想使用我购买的真实证书,如何将捆绑包添加到服务器 conf?我将购买的证书和密钥添加到配置中:

driver-tls-key=/etc/ssl/star.cert.key
driver-tls-cert=/etc/ssl/star.cert.crt

Openssl s_client 给了我以下内容

Verify return code: 21 (unable to verify the first certificate)

以此作为证书链:

depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.s0nr.co
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.s0nr.co
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.s0nr.co
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA

我怎样才能正确使用这个证书?

nosql ssl

1 个回答

  1. Best Answer

    傻我。我缺少--driver-tls-ca选项。我在 rethinkdb 手册 (man rethinkdb) 中找到了它。

    TLS options:

  --http-tls-key key_filename                 private key to use for web
                                              administration console TLS
  --http-tls-cert cert_filename               certificate to use for web
                                              administration console TLS
  --driver-tls-key key_filename               private key to use for client driver
                                              connection TLS
  --driver-tls-cert cert_filename             certificate to use for client driver
                                              connection TLS
  --driver-tls-ca ca_filename                 CA certificate bundle used to verify
                                              client certificates; TLS client
                                              authentication disabled if omitted
  --cluster-tls-key key_filename              private key to use for intra-cluster
                                              connection TLS
  --cluster-tls-cert cert_filename            certificate to use for intra-cluster
                                              connection TLS
  --cluster-tls-ca ca_filename                CA certificate bundle used to verify
                                              cluster peer certificates

    我在我的 rethinkdb 实例 conf 文件中设置它:

    # TLS stuff
driver-tls-key=/etc/ssl/star.cert.key
driver-tls-cert=/etc/ssl/star.cert.crt
driver-tls-ca=/etc/ssl/star.cert.ca-bundle

    一切都按预期进行。openssl s_client 返回正确的 0 (ok) 代码。

    编辑说明: 尽管使用 rethinkdb 转储实用程序看起来没有 ca 选项,所以我无论如何都不能使用真正的证书。

    • 0

相关问题