openssl genrsa -out private.key 2048
openssl req -new -x509 -days 3650 -key private.key -out public.crt -subj "/C=CN/ST=bj/L=oct/O=com/CN=192.168.1.10"
上面IP是本機IP
生成自簽名證書
minio/docs/tls at master · minio/minio · GitHub
生成後啟動minio
minio server http://127.0.0.1/Users/xxx/miniocluster/disk{1...4} --certs-dir /Users/xxx/Desktop/tls --console-address :9001 --address :9000
可以通路minio頁面,但是登入不上
登入接口報錯
{ "code":500, "detailedMessage":"Post "https://192.168.1.10:19000/": x509: certificate relies on legacy Common Name field, use SANs instead", "message":"invalid Login" }
發現是GO1.15 X509 被砍了(不能用了) ,需要用到SAN證書
看了下minion官方
minio/docs/tls at master · minio/minio · GitHub
發現這個可以生成SAN證書
Releases · minio/certgen · GitHub
Example (server)
certgen -host "127.0.0.1,localhost"
Created a new certificate 'public.crt', 'private.key' valid for the following names 📜
- "127.0.0.1"
- "localhost"
Example (client)
certgen -client -host "localhost"
Created a new certificate 'client.crt', 'client.key' valid for the following names 📜
- "localhost"
wget https://github.com/minio/certgen/releases/download/v1.2.0/certgen-darwin-amd64
mv certgen-darwin-amd64 certgen
記得删掉之前的證書
./certgen -host "127.0.0.1,192.168.1.10" (這裡指定回環IP和本機IP)
./certgen -host "127.0.0.1,192.168.1.10"
Created a new certificate 'public.crt', 'private.key' valid for the following names 📜
- "127.0.0.1"
- "192.168.1.10"
生成的證書未添加到根證書,https請求未攜帶數字證書會導緻在SDK請求的時候出現如下錯誤。
x509: certificate signed by unknown authority
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ./public.crt
ps 删掉現有證書:
sudo security delete-certificate -c ""
其他系統添加證書到根證書請看
Adding trusted root certificates to the server
certgen -client -host "127.0.0.1,192.168.1.10"
再次啟動minio就可以了