当我执行以下命令生成 kubernetes 证书时:
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem
-config=ca-config.json
-profile=kubernetes
kubernetes-csr.json | cfssljson -bare kubernetes
为什么CFSSL采取显示:
[root@iZuf63refzweg1d9dh94t8Z ssl]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem
> -config=ca-config.json
> -profile=kubernetes
> kubernetes-csr.json | cfssljson -bare kubernetes
2019/08/25 20:02:12 [INFO] generate received request
2019/08/25 20:02:12 [INFO] received CSR
2019/08/25 20:02:12 [INFO] generating key: rsa-2048
2019/08/25 20:02:13 [INFO] encoded CSR
2019/08/25 20:02:13 [INFO] signed certificate with serial number 540759253485135214776496461610290604881680785507
2019/08/25 20:02:13 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
这是我的 Kubernetes(kubernetes-csr.json( 配置:
{
"CN": "kubernetes",
"hosts": [
"127.0.0.1",
"172.19.104.230",
"172.19.150.82",
"172.19.104.231"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
显然它包含主机字段。我正在使用 cfssl 版本 1.2 .这是一个错误吗?
将cfssl 版本从 v1.2 更新到 v1.3.4(最新版本(:
go get -u github.com/cloudflare/cfssl/cmd/cfssl