CentOS7 导入自定义根证书

导入前cURL https API接口失败export TOKEN=$(cat token_file)curl-X GET -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" https://k8sapi.example.com:6443/api/curl: (60) Peer's Certifica...

毛小威

4944人浏览 · 2019-12-26 16:16:41

毛小威 · 2019-12-26 16:16:41 发布

导入前cURL https API接口失败

export TOKEN=$(cat token_file)
curl  -X GET -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" https://k8sapi.example.com:6443/api/
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

导入后cURL https API接口成功

export TOKEN=$(cat token_file)
curl   -X GET -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" https://k8sapi.example.com:6443/api/
{
  "kind": "APIVersions",
  "versions": [
    "v1"
  ],
  "serverAddressByClientCIDRs": [
    {
      "clientCIDR": "0.0.0.0/0",
      "serverAddress": "10.116.68.203:6443"
    }
  ]
}

## 当然可以在curl命令里面指定-k/--insecure 或者指定证书访问，例如
curl --cacert kubernetes_ca.crt  -X GET -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" https://k8sapi.example.com:6443/api/

CentOS7 导入自定义CA证书（根证书）

1. 安装ca-certificates

 yum -y install ca-certificates

2.证书文件放入 /usr/share/pki/ca-trust-source/anchors

# 证书名字后缀是crt，格式为pem，也就是有BEGIN和END的格式
ls -l /usr/share/pki/ca-trust-source/anchors
kubernetes_ca.crt

3. 更新

update-ca-trust

# 如上命令执行完成后etc/ssl/certs/ca-bundle.crt 以及/etc/ssl/certs/ca-bundle.trust.crt就包含了新的自定义证书
# 例如
tail -n20 /etc/ssl/certs/ca-bundle.trust.crt

# kubernetes
-----BEGIN TRUSTED CERTIFICATE-----
MIICyDCCAbCgAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
cm5ldGVzMB4XDTE5MTIwNDEwMzUzMFoXDTI5MTIwMTEwMzUzMFowFTETMBEGA1UE
AxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOEC
IpMQQP7MSd5JmvnvxGca3r2p5BXVoPKxKa25eXTxGLRV6jKtYVV/Duj10MOxQbSm
61B9T2m7UOzI/KzSaEMVBRe6SvMSQLBrs53BmYQmYd3lzTovClOR9aFDlcus0OMP
BQ2bxQXpeJEQ0vIsEGoHPPxijAwTGx7AoRrnbqEVN/Z+ojd1TI0sIFJtREDdJ5xx
+8qppvmUCSkJ73ps1yp7aiutPrXfTX2wDaDGyu7K6Lq4W+RCZJiv7rG3eipFzDdB
CYF++Aa/jQg76qGfhgjlk2C9XG0FYSiIrOeKoheoflGeYjO6OIO9vkTZUzfer2oM
SmnL7kSkpjCdKcsiQy8CAwEAAaMjMCEwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB
/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAEr/XBOPx18VOl8in88K1i+7WNPH
Pv2mG/O7RgD9NygqfZadt2sboK2fAOwKAa5BJcnCpEr8evaTH92IyZSXyx8m5ew1
h4Zh5CD4VkUabQPFAMiCGvKgmhyLVKEA9yqvbOR/IR4Tx7y8eVEpNYj+dmi6+fs7
6Cb7xAacSttOHzu8g76y5BgLhtnIQux5iv2qWBMnXoR/7596M9OcZkDbkTWOkGZx
THxZD713sgAjwK6ICNkI85uWT/ZQP54uxGPZtt5Y1LpkKqI0lPQM6rpVO1BxiOkB
RwfOB3gbv6DNIi8v8FWap34APcdFlEPEMVlTGb6FB+x75YiziWLtnnEQvsQwDAwK
a3ViZXJuZXRlcw==
-----END TRUSTED CERTIFICATE-----

K8S/Kubernetes

K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容

更多推荐

【深度】阿里巴巴万级规模 K8s 集群全局高可用体系之美

作者 | 韩堂、柘远、沉醉来源 | 阿里巴巴云原生公众号前言台湾作家林清玄在接受记者采访的时候，如此评价自己 30 多年写作生涯：“第一个十年我才华横溢，‘贼光闪现’，令周边黯然失色；第二个十年，我终于‘宝光现形’，不再去抢风头，反而与身边的美丽相得益彰；进入第三个十年，繁华落尽见真醇，我进入了‘醇光初现’的阶段，真正体味到了境界之美”。长夜有穷，真水无香。领略过了 K8s“身在江

K8S/Kubernetes

如何基于 K8s 构建下一代 DevOps 平台？

作者 | 孙健波（天元）导读：当前云原生 DevOps 体系现状如何？面临哪些挑战？如何通过 OAM 解决云原生 DevOps 场景下的诸多问题？云原生开发应用模型 OAM(Open Application Model) 社区核心成员孙健波将为大家一一解答，并分享如何基于 OAM 和 Kubernetes 打造无限能力的下一代 DevOps 平台。什么是 DevOps？为什么基于 Kub