k8s-18-api-server更换证书

1 目前证书是信任三个master ip地址在加一个[root@k8s-masterseversslbak]#cfssl-certinfo-certserver.pem{"subject":{"common_name":"kubernetes","country":"CN","organization":"k8s",...

weixin_34289454

1154人浏览 · 2018-10-27 11:35:28

weixin_34289454 · 2018-10-27 11:35:28 发布

1 目前证书是信任三个master ip地址在加一个

[root@k8s-master seversslbak]# cfssl-certinfo -cert server.pem 
{
  "subject": {
    "common_name": "kubernetes",
    "country": "CN",
    "organization": "k8s",
    "organizational_unit": "System",
    "locality": "BeiJing",
    "province": "BeiJing",
    "names": [
      "CN",
      "BeiJing",
      "BeiJing",
      "k8s",
      "System",
      "kubernetes"
    ]
  },
  "issuer": {
    "common_name": "kubernetes",
    "country": "CN",
    "organization": "k8s",
    "organizational_unit": "System",
    "locality": "Beijing",
    "province": "Beijing",
    "names": [
      "CN",
      "Beijing",
      "Beijing",
      "k8s",
      "System",
      "kubernetes"
    ]
  },
  "serial_number": "591829917047207358591893406474948745207699905189",
  "sans": [
    "kubernetes",
    "kubernetes.default",
    "kubernetes.default.svc",
    "kubernetes.default.svc.cluster",
    "kubernetes.default.svc.cluster.local",
    "127.0.0.1",
    "192.168.56.10",
    "192.168.56.11",
    "192.168.56.12",
    "10.10.10.1"
  ],
  "not_before": "2018-10-02T02:52:00Z",
  "not_after": "2028-09-29T02:52:00Z",
  "sigalg": "SHA256WithRSA",
  "authority_key_id": "93:D5:D3:91:42:2C:22:45:E:EE:12:82:F8:78:9C:BA:D0:5:DE:43",
  "subject_key_id": "9E:76:4C:F7:24:11:E5:86:24:1:C2:DC:2D:F5:AA:3B:F0:B3:21:A5",
  "pem": "-----BEGIN CERTIFICATE-----\nMIIEhTCCA22gAwIBAgIUZ6qSQldvDDFbFZ0mWhR30hU2mqUwDQYJKoZIhvcNAQEL\nBQAwZTELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaWppbmcxEDAOBgNVBAcTB0Jl\naWppbmcxDDAKBgNVBAoTA2s4czEPMA0GA1UECxMGU3lzdGVtMRMwEQYDVQQDEwpr\ndWJlcm5ldGVzMB4XDTE4MTAwMjAyNTIwMFoXDTI4MDkyOTAyNTIwMFowZTELMAkG\nA1UEBhMCQ04xEDAOBgNVBAgTB0JlaUppbmcxEDAOBgNVBAcTB0JlaUppbmcxDDAK\nBgNVBAoTA2s4czEPMA0GA1UECxMGU3lzdGVtMRMwEQYDVQQDEwprdWJlcm5ldGVz\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyk0D+RlWUot1909wHhxs\n8gHESHGwjW85OyfN6qMwBeZbrLy9OJGWWADvxhLd5JXga+3ZMmyp979+RzDvTaoE\nFpOAaKzQBipWJguU2kP9PO/AGKePD7+sAHK8D09A6z9T7rFqr/ymALkDgtLG9xiG\nzLhJrdmZNjvGPB3RLFHtXt6RXR6vnXJ9JpQ90b1hmXsp8tRv0YNfaGA3KhOSNB6e\nXC0oTXNS/h4G1l0ee9x0BVYlwDCwL/7lSVF0E1lAcXzU8zqy4qY2815CHcHaTtxw\nMne6jSwh6DMfIdVuZSiLumgeLIRJZntRFwd8GqMmDGjCwomH+XutasJ8OGaApDh6\nxQIDAQABo4IBKzCCAScwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUF\nBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSedkz3JBHlhiQB\nwtwt9ao78LMhpTAfBgNVHSMEGDAWgBST1dORQiwiRQ7uEoL4eJy60AXeQzCBpwYD\nVR0RBIGfMIGcggprdWJlcm5ldGVzghJrdWJlcm5ldGVzLmRlZmF1bHSCFmt1YmVy\nbmV0ZXMuZGVmYXVsdC5zdmOCHmt1YmVybmV0ZXMuZGVmYXVsdC5zdmMuY2x1c3Rl\ncoIka3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FshwR/AAABhwTA\nqDgKhwTAqDgLhwTAqDgMhwQKCgoBMA0GCSqGSIb3DQEBCwUAA4IBAQCTT5vj/DYR\niPwJ3eXd48fK6GDtwtRlfs1XlDxjVRx77OOiw3L7f3D3+fExC5Zq9TffJ7r32NRp\n+FICkkmguYCmvZ5sohiiunDdVfeKDWxYT4LlqF1YX1Ta0D6bVyRdvr9lImaty+hS\nkyH3BFVocVSn2vdtGUSy2X8LRrEXNvdcRrrLihVWlZONCrAUV2pnyU8LWHhDEZak\n5H3aIlz7Eqr4/lcXytXjk1DiTGAi67fwLy4yiRvrPnpsYlp/Ee9gudlkysO7ArIi\nNBKK42nYU1pGXqIeOarrCH1WWDGMy2JHp/okSEVlktoy2gwGi7GembAf68x5viUM\ngoV9PpKjMgvD\n-----END CERTIFICATE-----\n"
}

{
    "CN": "kubernetes",
    "hosts": [
      "127.0.0.1",
      "192.168.56.10",
      "192.168.56.11",
      "192.168.56.12",
      "192.168.56.13",
      "10.10.10.1",
      "kubernetes",
      "kubernetes.default",
      "kubernetes.default.svc",
      "kubernetes.default.svc.cluster",
      "kubernetes.default.svc.cluster.local"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "BeiJing",
            "ST": "BeiJing",
            "O": "k8s",
            "OU": "System"
        }
    ]
}

3.基于原来的ca证书重新生成server.perm server-key.pem

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server

cp server.pem server-key.pem /opt/kubernetes/ssl/

systemctl restart kube-apiserver

[root@k8s-master ssl]# cfssl-certinfo  -cert  server.pem 
{
  "subject": {
    "common_name": "kubernetes",
    "country": "CN",
    "organization": "k8s",
    "organizational_unit": "System",
    "locality": "BeiJing",
    "province": "BeiJing",
    "names": [
      "CN",
      "BeiJing",
      "BeiJing",
      "k8s",
      "System",
      "kubernetes"
    ]
  },
  "issuer": {
    "common_name": "kubernetes",
    "country": "CN",
    "organization": "k8s",
    "organizational_unit": "System",
    "locality": "Beijing",
    "province": "Beijing",
    "names": [
      "CN",
      "Beijing",
      "Beijing",
      "k8s",
      "System",
      "kubernetes"
    ]
  },
  "serial_number": "508184769729075093485943956732747441633339345736",
  "sans": [
    "kubernetes",
    "kubernetes.default",
    "kubernetes.default.svc",
    "kubernetes.default.svc.cluster",
    "kubernetes.default.svc.cluster.local",
    "127.0.0.1",
    "192.168.56.10",
    "192.168.56.11",
    "192.168.56.12",
    "192.168.56.13",
    "10.10.10.1"
  ],
  "not_before": "2018-10-27T03:11:00Z",
  "not_after": "2028-10-24T03:11:00Z",
  "sigalg": "SHA256WithRSA",
  "authority_key_id": "93:D5:D3:91:42:2C:22:45:E:EE:12:82:F8:78:9C:BA:D0:5:DE:43",
  "subject_key_id": "7B:6E:13:B3:7A:31:84:E5:A4:9:87:64:8C:7D:EE:1:71:C2:EE:66",
  "pem": "-----BEGIN CERTIFICATE-----\nMIIEizCCA3OgAwIBAgIUWQPLDvnjyQgDePhdAwjioWv3i0gwDQYJKoZIhvcNAQEL\nBQAwZTELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaWppbmcxEDAOBgNVBAcTB0Jl\naWppbmcxDDAKBgNVBAoTA2s4czEPMA0GA1UECxMGU3lzdGVtMRMwEQYDVQQDEwpr\ndWJlcm5ldGVzMB4XDTE4MTAyNzAzMTEwMFoXDTI4MTAyNDAzMTEwMFowZTELMAkG\nA1UEBhMCQ04xEDAOBgNVBAgTB0JlaUppbmcxEDAOBgNVBAcTB0JlaUppbmcxDDAK\nBgNVBAoTA2s4czEPMA0GA1UECxMGU3lzdGVtMRMwEQYDVQQDEwprdWJlcm5ldGVz\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzCpmf7s4P25vls5mPynl\nnxbdA3c8SrW54ZVPePk2LOJIFZl5CfqNoB5O4bNSgEVo8uTTLDDMab+H9XhqD2DO\ndpNrzfQ3oJbx5olodR8rph3BDP6RKSB8Mj9T6pbgcNXYWMvLrTbJahXfWzrxG/IN\nRaqgoUmuBomGN7xLbJpmEREmMzB4Q3/Cr0YZqkOgUiwgzuOwdfObzQ/JzWuZoQNw\n374QhaIqpVaH/ZIGHgL3XKblzuv3zhtLV9Vmi0/ST6+1m+yVS6fkvdiOHG2bXYFM\ng7seGd8ZU6dUV6sxMciAChsbWWPCHcYiqGO1C6Qa6ACJhlukDFhMzPvleI9ithuT\nLQIDAQABo4IBMTCCAS0wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUF\nBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBR7bhOzejGE5aQJ\nh2SMfe4BccLuZjAfBgNVHSMEGDAWgBST1dORQiwiRQ7uEoL4eJy60AXeQzCBrQYD\nVR0RBIGlMIGiggprdWJlcm5ldGVzghJrdWJlcm5ldGVzLmRlZmF1bHSCFmt1YmVy\nbmV0ZXMuZGVmYXVsdC5zdmOCHmt1YmVybmV0ZXMuZGVmYXVsdC5zdmMuY2x1c3Rl\ncoIka3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FshwR/AAABhwTA\nqDgKhwTAqDgLhwTAqDgMhwTAqDgNhwQKCgoBMA0GCSqGSIb3DQEBCwUAA4IBAQA/\n3cMaOSScJL7g8O0iHhS0TFJ6qy1/RKYcq0Sr0cLAwP4z4OzMwdO7NF0U51VyjOLU\n81b3WCh1PHl7TV47ja2lP5fIe5+WCfnSRUMo66yRjItVFOqxQUzdD3v3YxaBuKou\npNbPlk8rUMs6a+6kUiN82QZjlAJZXWIdnxm+IkFHKLS/GCk9TemqhlMogejmYgUI\njBuZL3ZnkWX2QFMW13xEEs0pR+oxPsGaXu16UsRjhewVgZNNo5lHjn8Llgs2Nubk\nKzlVDm6NfZcac+UxOrfOaaHwXb6wSXYN/wIwrcCyjuy8Hq7aDV0glCf/WmMcJiGT\nStVwi1DLBdWkQNCcmkFN\n-----END CERTIFICATE-----\n"
}
[root@k8s-master ssl]#

转载于:https://blog.51cto.com/wsxxsl/2309663