我使用以下命令生成了 SSL 证书:
C=PL
ST=Mazovia
L=Warsaw
O="PHP-HTTP"
CN="192.168.56.10"
openssl req -out ca.pem -new -x509 -subj "/C=$C/ST=$ST/L=$L/O=$O/CN=socket-server" -passout pass:password
openssl genrsa -out server.key
openssl req -key server.key -new -out server.req -subj "/C=$C/ST=$ST/L=$L/O=$O/CN=$CN" -passout pass:password
openssl x509 -req -in server.req -CA ca.pem -CAkey privkey.pem -CAserial file.srl -out server.pem -passin pass:password
openssl genrsa -out client.key
openssl req -key client.key -new -out client.req -subj "/C=$C/ST=$ST/L=$L/O=$O/CN=socket-adapter-client" -passout pass:password
openssl x509 -req -in client.req -CA ca.pem -CAkey privkey.pem -CAserial file.srl -out client.pem -passin pass:password
我将它们应用到 dockerd 守护进程:
sudo cp ca.pem /root/.docker/
sudo cp server.key /root/.docker/key.pem
sudo cp server.pem /root/.docker/cert.pem
--tlsverify通过添加( Alpine linux )来启用它们
并从 PHP 脚本成功连接到 /version 端点:
$client = (new CurlHttpClient([
// 'bindto' => '/var/run/docker.sock'
'cafile' => __DIR__ . '/../../../ssl-test/ca.pem',
'local_cert' => __DIR__ . '/../../../ssl-test/client.pem',
'local_pk' => __DIR__ . '/../../../ssl-test/client.key',
// 'verify_host' => false,
]));
$response = $client->request(
'GET',
'https://192.168.56.10:2376/version'
);
我想使用普通curl命令建立该连接,但无论我使用什么组合--cacert或--cert选项,它都会给我一个错误。我应该如何捆绑输出文件以建立工作连接?
编辑>系统:WSL2 Ubuntu 22.04.3 LTS
答案1
curl -vv帮了很多忙。我怀疑curl只是期望特定格式的证书,结果发现它需要在一个文件中同时包含私钥client.key( pkey )和( cert )。client.pem
[~] cat client.pem >> cert-and-key.pem
[~] cat client.key >> cert-and-key.pem
[~] curl -vv --cacert ca.pem --cert cert-and-key.pem https://192.168.56.10:2376/version
注:也可以用or--cacert ca.pem代替(不推荐)-k--insecure
输出:
* Trying 192.168.56.10:2376...
* Connected to 192.168.56.10 (192.168.56.10) port 2376 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* CAfile: ca.pem
* CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, CERT verify (15):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=PL; ST=Mazovia; L=Warsaw; O=PHP-HTTP; CN=192.168.56.10
* start date: Dec 2 23:15:27 2023 GMT
* expire date: Jan 1 23:15:27 2024 GMT
* common name: 192.168.56.10 (matched)
* issuer: C=PL; ST=Mazovia; L=Warsaw; O=PHP-HTTP; CN=socket-server
* SSL certificate verify ok.
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET /version HTTP/1.1
> Host: 192.168.56.10:2376
> User-Agent: curl/7.81.0
> Accept: */*
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Api-Version: 1.42
< Content-Type: application/json
< Docker-Experimental: false
< Ostype: linux
< Server: Docker/23.0.6 (linux)
< Date: Sun, 03 Dec 2023 15:23:48 GMT
< Content-Length: 873
<
{"Platform":{"Name":""},"Components":[{"Name":"Engine","Version":"23.0.6","Details":{"ApiVersion":"1.42","Arch":"amd64","BuildTime":"2023-10-12T14:14:03.000000000+00:00","Experimental":"false","GitCommit":"9dbdbd4b6d7681bd18c897a6ba0376073c2a72ff","GoVersion":"go1.20.10","KernelVersion":"6.1.60-0-virt","MinAPIVersion":"1.12","Os":"linux"}},{"Name":"containerd","Version":"v1.7.2","Details":{"GitCommit":"0cae528dd6cb557f7201036e9f43420650207b58"}},{"Name":"runc","Version":"1.1.7","Details":{"GitCommit":"860f061b76bb4fc671f0f9e900f7d80ff93d4eb7"}},{"Name":"docker-init","Version":"0.19.0","Details":{"GitCommit":""}}],"Version":"23.0.6","ApiVersion":"1.42","MinAPIVersion":"1.12","GitCommit":"9dbdbd4b6d7681bd18c897a6ba0376073c2a72ff","GoVersion":"go1.20.10","Os":"linux","Arch":"amd64","KernelVersion":"6.1.60-0-virt","BuildTime":"2023-10-12T14:14:03.000000000+00:00"}
* Connection #0 to host 192.168.56.10 left intact