时间戳

首页 > 解决方案 > Docker 无法验证 [docker host] 的证书,因为它不包含任何 IP SAN

docker - Docker 无法验证 [docker host] 的证书,因为它不包含任何 IP SAN

问题描述

这是情况,我想在我的docker主机上启用TLS,所以我阅读了文档Protect the Docker daemon socket,并尝试生成证书,一切正常,我将客户端ip列表放入extfile.cnf,但我得到以下错误:

error during connect: Get https://xx:2376/v1.38/info: x509: cannot validate certificate for xx because it doesn't contain any IP SANs

我想我刚刚执行了文件所说的正确命令。

在此处输入图像描述

码头工人版本

Client:
 Version:           18.06.1-ce
 API version:       1.38
 Go version:        go1.10.3
 Git commit:        e68fc7a
 Built:             Tue Aug 21 17:23:03 2018
 OS/Arch:           linux/amd64
 Experimental:      false

Server:
 Engine:
  Version:          18.06.1-ce
  API version:      1.38 (minimum version 1.12)
  Go version:       go1.10.3
  Git commit:       e68fc7a
  Built:            Tue Aug 21 17:25:29 2018
  OS/Arch:          linux/amd64
  Experimental:     false

ca证书:

[root] openssl x509 -noout -text -in ca.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=XX, L=Default City, O=Default Company Ltd, CN=[HOSTNAME]
        Validity
            Not Before: Apr 22 07:25:45 2020 GMT
            Not After : Apr 22 07:25:45 2021 GMT
        Subject: C=XX, L=Default City, O=Default Company Ltd, CN=[HOSTNAME]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    ------------------
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                ------------------
            X509v3 Authority Key Identifier:
                keyid:------------------

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         ------------------

服务器证书:

[root] openssl x509 -noout -text -in server-cert.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=XX, L=Default City, O=Default Company Ltd, CN=[HOSTNAME]
        Validity
            Not Before: Apr 22 07:27:01 2020 GMT
            Not After : Apr 22 07:27:01 2021 GMT
        Subject: CN=[HOSTNAME]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:----------------
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:[HOSTNAME], IP Address:10.10.10.20, IP Address:127.0.0.1, IP Address:----------------
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
    Signature Algorithm: sha256WithRSAEncryption ----------------

标签: dockeropenssltls1.2

解决方案

推荐阅读