컬을 통해 자체 서명된 인증서를 사용하는 방법

컬을 통해 자체 서명된 인증서를 사용하는 방법

다음 명령을 사용하여 SSL 인증서를 생성했습니다.

C=PL
ST=Mazovia
L=Warsaw
O="PHP-HTTP"
CN="192.168.56.10"

openssl req -out ca.pem -new -x509 -subj "/C=$C/ST=$ST/L=$L/O=$O/CN=socket-server" -passout pass:password

openssl genrsa -out server.key
openssl req -key server.key -new -out server.req -subj "/C=$C/ST=$ST/L=$L/O=$O/CN=$CN" -passout pass:password
openssl x509 -req -in server.req -CA ca.pem -CAkey privkey.pem -CAserial file.srl -out server.pem -passin pass:password

openssl genrsa -out client.key
openssl req -key client.key -new -out client.req -subj "/C=$C/ST=$ST/L=$L/O=$O/CN=socket-adapter-client" -passout pass:password
openssl x509 -req -in client.req -CA ca.pem -CAkey privkey.pem -CAserial file.srl -out client.pem -passin pass:password

dockerd 데몬에 적용합니다.

sudo cp ca.pem /root/.docker/
sudo cp server.key /root/.docker/key.pem
sudo cp server.pem /root/.docker/cert.pem

--tlsverify(Alpine linux)를 추가하여 활성화하세요.

PHP 스크립트에서 /version 엔드포인트에 성공적으로 연결되었습니다.

$client = (new CurlHttpClient([
//            'bindto' => '/var/run/docker.sock'
            'cafile' => __DIR__ . '/../../../ssl-test/ca.pem',
            'local_cert' => __DIR__ . '/../../../ssl-test/client.pem',
            'local_pk' => __DIR__ . '/../../../ssl-test/client.key',
//            'verify_host' => false,
        ]));
        $response = $client->request(
            'GET',
            'https://192.168.56.10:2376/version'
        );

일반 명령을 사용하여 해당 연결을 설정하고 싶지만 어떤 조합 이나 옵션을 사용 curl하더라도 오류가 발생합니다. 작동하는 연결을 만들려면 출력 파일을 어떻게 묶어야 합니까?--cacert--cert

편집 > 시스템: WSL2 Ubuntu 22.04.3 LTS

답변1

curl -vv많은 도움이 되었습니다. 나는 그것이 인증서의 특정 형식을 기대하고 있다고 생각했고 curl하나의 파일에 개인 키 client.key(pkey)와 (cert) 가 모두 필요하다는 것이 밝혀졌습니다.client.pem

[~] cat client.pem >> cert-and-key.pem
[~] cat client.key >> cert-and-key.pem
[~] curl -vv --cacert ca.pem --cert cert-and-key.pem https://192.168.56.10:2376/version

참고: 또는 --cacert ca.pem대신 사용할 수도 있습니다(권장하지 않음).-k--insecure

산출:

*   Trying 192.168.56.10:2376...
* Connected to 192.168.56.10 (192.168.56.10) port 2376 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: ca.pem
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, CERT verify (15):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=PL; ST=Mazovia; L=Warsaw; O=PHP-HTTP; CN=192.168.56.10
*  start date: Dec  2 23:15:27 2023 GMT
*  expire date: Jan  1 23:15:27 2024 GMT
*  common name: 192.168.56.10 (matched)
*  issuer: C=PL; ST=Mazovia; L=Warsaw; O=PHP-HTTP; CN=socket-server
*  SSL certificate verify ok.
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET /version HTTP/1.1
> Host: 192.168.56.10:2376
> User-Agent: curl/7.81.0
> Accept: */*
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Api-Version: 1.42
< Content-Type: application/json
< Docker-Experimental: false
< Ostype: linux
< Server: Docker/23.0.6 (linux)
< Date: Sun, 03 Dec 2023 15:23:48 GMT
< Content-Length: 873
<
{"Platform":{"Name":""},"Components":[{"Name":"Engine","Version":"23.0.6","Details":{"ApiVersion":"1.42","Arch":"amd64","BuildTime":"2023-10-12T14:14:03.000000000+00:00","Experimental":"false","GitCommit":"9dbdbd4b6d7681bd18c897a6ba0376073c2a72ff","GoVersion":"go1.20.10","KernelVersion":"6.1.60-0-virt","MinAPIVersion":"1.12","Os":"linux"}},{"Name":"containerd","Version":"v1.7.2","Details":{"GitCommit":"0cae528dd6cb557f7201036e9f43420650207b58"}},{"Name":"runc","Version":"1.1.7","Details":{"GitCommit":"860f061b76bb4fc671f0f9e900f7d80ff93d4eb7"}},{"Name":"docker-init","Version":"0.19.0","Details":{"GitCommit":""}}],"Version":"23.0.6","ApiVersion":"1.42","MinAPIVersion":"1.12","GitCommit":"9dbdbd4b6d7681bd18c897a6ba0376073c2a72ff","GoVersion":"go1.20.10","Os":"linux","Arch":"amd64","KernelVersion":"6.1.60-0-virt","BuildTime":"2023-10-12T14:14:03.000000000+00:00"}
* Connection #0 to host 192.168.56.10 left intact

관련 정보