问题描述
我正在尝试使用 openssl 和 keytool 命令使用 SSL 配置 Kafka.我将证书配置为接受特定的 CN 和一些替代名称;这是我所做的:
I am trying to configure Kafka with SSL using openssl and keytool command.I configured the certificates to accept a specific CN and some alternative names; here is what I did:
openssl req -x509 -nodes -newkey rsa:2048 -days 3650 -sha256 -keyout ca-key -out ca-cert -reqexts SAN -extensions SAN -subj '/CN=kafkabroker' -config <(cat /etc/ssl/openssl.cnf; printf "[SAN]\nsubjectAltName=DNS:kafkabroker,DNS:kafka-broker,DNS:localhost,DNS:host.docker.internal,IP:127.0.0.1,IP:1.1.1.1, IP:2.2.2.2")
keytool -keystore kafka.server.keystore.jks -alias kafkabroker -validity 365 -genkey -storepass passw -keypass passw -ext SAN=DNS:kafkabroker,DNS:localhost,IP:1.1.1.1,DNS:juliet,DNS:host.docker.internal,IP:2.2.2.2,IP:127.0.0.1
keytool -keystore kafka.client.truststore.jks -alias CARoot -import -file ca-cert
keytool -keystore kafka.server.keystore.jks -alias kafkabroker -certreq -file cert-file
openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days 3650 -CAcreateserial -passin pass:passw
keytool -keystore kafka.server.keystore.jks -alias CARoot -import -file ca-cert
keytool -keystore kafka.server.keystore.jks -alias kafkabroker -import -file cert-signed
keytool -keystore kafka.client.keystore.jks -alias kafkabroker -validity 365 -genkey -storepass passw -keypass passw -ext SAN=DNS:kafkabroker,DNS:localhost,IP:1.1.1.1,DNS:juliet,DNS:host.docker.internal,IP:2.2.2.2,IP:127.0.0.1
keytool -keystore kafka.client.keystore.jks -alias kafkabroker -certreq -file cert-file
openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days 3650 -CAcreateserial -passin pass:passw
keytool -keystore kafka.client.keystore.jks -alias CARoot -import -file ca-cert
keytool -keystore kafka.client.keystore.jks -alias kafkabroker -import -file cert-signed
keytool -keystore kafka.server.truststore.jks -alias CARoot -import -file ca-cert
在本地环境中,具有主机名kafkabroker"它可以工作,但是当我在另一个环境中使用相同的证书运行 kafka 时,该环境在证书创建期间配置了 IP,它说:
In a local environment, having the hostname "kafkabroker" it works but when i run kafka with the same certificates on another environment which has an IP configured during the certificate creation, it says:
java.security.cert.CertificateException:没有主题替代名称礼物
我不明白为什么.我检查了信任库和密钥库的 jks 文件,我可以清楚地看到替代名称"部分完全填充了上述名称和 IP 地址.
I don't understand why. I checked the jks files which are the truststore and keystore and I can see cleary the section "alternative names" fully populated with the above names and IP addresses.
推荐答案
主要问题,kafka 需要签名的 SERVER 证书(在 server.keystore.jks 中)中的 SAN.正如我所看到的,在您的请求部分您没有添加 SAN 名称:
The main problem, that kafka requires SAN in signed SERVER certificate (which is in server.keystore.jks). As I can see, in your request section you do not have SAN names added:
openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days 3650 -CAcreateserial -passin pass:passw -extfile openssl-sign.cnf -extensions server_cert
准备添加/编辑您的/etc/pki/tls/openssl.cnf(CentOS/RHEL 目录)或/etc/ssl/openssl.cnf(其他)- server_cert(或模拟)部分.另一种方法是创建您自己的 openssl.cnf 副本,如我的示例(文件 openssl-sigh.cnf)所示.server_cert 部分可以是这样的(在 cnf 文件中的任何地方):
Be ready to add/edit your /etc/pki/tls/openssl.cnf (CentOS/RHEL catalog) or /etc/ssl/openssl.cnf (others) - server_cert (or analogue) section. Another way is to create your own copy of openssl.cnf as shown in my example (file openssl-sigh.cnf).server_cert section can be something like this (anywhere in cnf file):
[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "Openssl Server generated Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth,clientAuth
subjectAltName = DNS:kafkabroker,DNS:localhost,IP:1.1.1.1,DNS:juliet,DNS:host.docker.internal,IP:2.2.2.2,IP:127.0.0.1
然后通过以下方式检查您的结果:
Then check your results by:
openssl req -text -noout -verify -in cert-file
openssl x509 -text -noout -in cert-signed
您应该会在 x509 扩展中看到 SAN 文本行.
And you should see SAN text lines in x509 extensions.
我不确定 client.keystore - 您使用另一个具有相同名称的证书创建另一对.首先尝试 server.keystore.jks 检查.
I'm not sure about the client.keystore - you create another pair with another certs with the same names. Try first server.keystore.jks check.
这篇关于X509 SSL:没有名称匹配<hostname>成立的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!