天天看點

使用TLS安全的通路Minio服務https通路minio

openssl genrsa -out private.key 2048

openssl req -new -x509 -days 3650 -key private.key -out public.crt -subj "/C=CN/ST=bj/L=oct/O=com/CN=192.168.1.10"

上面IP是本機IP

生成自簽名證書

minio/docs/tls at master · minio/minio · GitHub

生成後啟動minio

minio server http://127.0.0.1/Users/xxx/miniocluster/disk{1...4} --certs-dir /Users/xxx/Desktop/tls  --console-address :9001 --address :9000

可以通路minio頁面,但是登入不上

登入接口報錯

使用TLS安全的通路Minio服務https通路minio

{ "code":500, "detailedMessage":"Post "https://192.168.1.10:19000/": x509: certificate relies on legacy Common Name field, use SANs instead", "message":"invalid Login" }

發現是GO1.15   X509 被砍了(不能用了) ,需要用到SAN證書

看了下minion官方

minio/docs/tls at master · minio/minio · GitHub

發現這個可以生成SAN證書

Releases · minio/certgen · GitHub

Example (server)

certgen -host "127.0.0.1,localhost"

Created a new certificate 'public.crt', 'private.key' valid for the following names 📜
 - "127.0.0.1"
 - "localhost"
           

Example (client)

certgen -client -host "localhost"

Created a new certificate 'client.crt', 'client.key' valid for the following names 📜
 - "localhost"
           

wget https://github.com/minio/certgen/releases/download/v1.2.0/certgen-darwin-amd64

mv certgen-darwin-amd64 certgen

記得删掉之前的證書

./certgen -host "127.0.0.1,192.168.1.10" (這裡指定回環IP和本機IP)

./certgen -host "127.0.0.1,192.168.1.10"
Created a new certificate 'public.crt', 'private.key' valid for the following names 📜
 - "127.0.0.1"
 - "192.168.1.10"
           

生成的證書未添加到根證書,https請求未攜帶數字證書會導緻在SDK請求的時候出現如下錯誤。

x509: certificate signed by unknown authority

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ./public.crt

ps 删掉現有證書:

sudo security delete-certificate -c ""

其他系統添加證書到根證書請看

Adding trusted root certificates to the server

certgen -client -host "127.0.0.1,192.168.1.10"

再次啟動minio就可以了

繼續閱讀