在前面的文章中介绍了Dashboard 2.0.0的部署和使用方法,但是在Chrome 58+的版本无法使用,这篇文章用于memo和整理一下对应方法。
证书请求文件:CSR
[root@host131 k8s]# cat dashboard-csr.config
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C = CN
ST = LiaoNing
L = DaLian
O = K8S
OU = System
CN = kubernetes-dashboard
[ req_ext ]
subjectAltName = @alt_names
[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectAltName=@alt_names
[ alt_names ]
DNS.1 = 192.168.163.131
[root@host131 k8s]#
生成私钥
[root@host131 k8s]# openssl genrsa -out cert-dashboard-key.pem 2048
Generating RSA private key, 2048 bit long modulus
.....+++
.............................................................................................................................................................................................................+++
e is 65537 (0x10001)
[root@host131 k8s]# ls cert-dashboard-key.pem
cert-dashboard-key.pem
[root@host131 k8s]#
生成CSR文件
[root@host131 k8s]# openssl req -new -key cert-dashboard-key.pem -out dashboard.csr -config dashboard-csr.config
[root@host131 k8s]#
[root@host131 k8s]# ls dashboard*
dashboard.csr dashboard-csr.config
[root@host131 k8s]#
生成证书文件
[root@host131 k8s]# openssl x509 -req -in dashboard.csr -CA /etc/ssl/ca/ca.pem -CAkey /etc/ssl/ca/ca-key.pem -CAcreateserial -out cert-dashboard.pem -days 10000 -extensions v3_ext -extfile dashboard-csr.config
Signature ok
subject=/C=CN/ST=LiaoNing/L=DaLian/O=K8S/OU=System/CN=kubernetes-dashboard
Getting CA Private Key
[root@host131 k8s]#
证书确认
[root@host131 k8s]# openssl x509 -in dashboard.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
96:73:f3:1c:62:51:11:52
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=LiaoNing, L=DaLian, O=K8S, OU=System, CN=kubernetes
Validity
Not Before: Feb 1 10:01:04 2020 GMT
Not After : Jun 19 10:01:04 2047 GMT
Subject: C=CN, ST=LiaoNing, L=DaLian, O=K8S, OU=System, CN=kubernetes-dashboard
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b6:29:a2:8c:3a:4d:54:bf:fa:71:e6:32:9f:be:
c1:04:02:20:5f:11:3e:d2:da:f6:30:39:54:a7:7e:
b7:8c:21:2f:c9:53:73:91:dd:80:51:16:27:35:48:
01:90:38:2f:71:97:60:c0:8e:8c:10:5e:f2:e7:d8:
6d:4b:bd:81:70:5f:8a:0e:4f:c1:29:32:5e:cb:c5:
e1:f9:65:59:60:b9:42:b1:50:65:d1:2b:e8:2f:bd:
6d:64:1e:e1:89:3b:fb:53:d3:f7:75:4e:f9:d3:0f:
7e:24:3a:81:68:dd:2b:5f:8b:74:38:b6:14:c2:52:
e6:68:bf:05:66:00:fd:e9:53:f6:e3:6f:36:c7:96:
cc:98:51:8a:69:6b:96:ed:47:63:24:3f:d8:b1:8c:
c2:2d:4a:c6:a7:7f:45:27:2a:56:8e:91:78:f2:81:
53:74:e9:be:a0:be:bb:1c:b0:1f:22:68:44:44:61:
af:6f:b7:2e:aa:f8:9e:f4:03:2d:0f:68:70:7e:0c:
46:53:30:f2:b6:ad:a3:43:8f:3c:7f:a4:fb:af:d4:
32:73:fa:88:40:b4:74:d5:c9:44:dd:06:52:93:52:
f0:a2:0d:ec:e5:08:fb:10:fb:d8:07:7a:a6:56:72:
a2:b5:34:4f:8d:c5:cf:96:b8:be:c6:e0:35:6f:2f:
cb:b9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:B9:D4:4A:BA:8B:F4:44:21:0E:99:B0:7D:0D:4D:C6:10:3E:EB:98:7A
DirName:/C=CN/ST=LiaoNing/L=DaLian/O=K8S/OU=System/CN=kubernetes
serial:79:EE:52:BF:6D:30:05:64:4E:E8:4A:38:8F:5C:8E:77:E5:71:37:3D
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:192.168.163.131
Signature Algorithm: sha256WithRSAEncryption
76:f4:ab:dc:9f:5b:75:8a:c1:5c:0d:aa:0d:9a:d0:fb:8c:de:
69:71:09:2b:a7:94:60:3e:ed:53:61:53:d3:09:e9:31:6f:7e:
72:aa:72:e4:22:12:89:ed:b9:fe:1e:85:4a:ba:87:a7:f1:e5:
3f:39:f8:7e:c4:88:a3:f2:c9:3c:0f:4a:c2:53:e4:8b:c7:93:
56:f9:63:48:81:5a:82:44:1e:6d:d8:8f:24:1a:8d:4b:a3:8f:
27:ea:af:9e:83:77:ac:65:aa:9b:dc:61:86:5a:0d:dd:12:3c:
71:e5:b1:e8:4b:aa:24:49:20:65:c7:71:2f:e0:b7:ad:49:38:
2d:57:30:bf:2e:c7:00:37:dc:de:03:58:16:ae:ce:36:8c:f7:
42:7e:37:d4:cd:3a:6a:a4:f6:3e:2d:65:a2:da:ed:08:ac:82:
c5:17:43:25:0c:06:9d:6e:e1:69:7a:b2:74:9b:5d:aa:7e:7f:
6f:61:f2:1e:63:bc:04:7e:6a:9c:22:1c:3d:26:b0:7a:4c:86:
60:5b:a7:e1:db:66:6b:a9:d4:7f:a8:e1:bc:2b:f2:20:a3:f0:
6b:ae:15:27:ea:2b:51:7f:5e:83:db:be:16:94:1d:44:a4:d2:
74:da:f1:53:9e:54:8e:4d:ea:3f:22:01:37:dc:9f:07:4e:3d:
80:fe:df:b6
[root@host131 k8s]#
可以看到此处已经生成了可用的扩展的Subject Alternative Name
尚存问题点
将CA证书以及创建的dashboard的证书都导入到信任链中,仍然无法使用Chrome 58+,后续将继续确认此问题。
注:之前的1.10.1的Dashboard版本可以正常使用。有些文章中将CN设定为域名或者IP解决了此问题,但我本机实验的问题中查看信息详情中缺少Subject Alternative Name,而在之前其他的https的证书中Chrome也有类似的问题,通过本文示例方式的修改已成功,在此版的dashboard中还尚未成功。