解决了

使用Lets加密证书棱镜中心和棱镜元素

  • 2018年4月17日
  • 11日回复
  • 2362的浏览量
三硝基甲苯
徽章
我正在寻找替换我的SSL证书的棱镜中心和棱镜元素部署与让加密通配符证书。

我可以很容易地请求通配符证书

Sudo certbot -d example.com -d *.example.com——manual——preferred-challenges dns-01——server https://acme-v02.api.letsencrypt.org/directory当然

我生成了三个文件:
privkey = /etc/letsencrypt /生活/ example.com/privkey.pem
链= /etc/letsencrypt /生活/ example.com/chain.pem
fullchain = /etc/letsencrypt /生活/ example.com/fullchain.pem

谁能告诉我,我可以使用什么openssl命令来将这些.pem文件转换为所需的格式为Prism Central/Prism Element?我尝试从https://www.sslsupportdesk.com/openssl-commands/多个命令,但我似乎不能找到确切的一个。

如果需要其他证书,还可以从这里获取中间/根证书。
https://letsencrypt.org/certificates/

我也在寻找一种最终的方法来脚本这个过程,所以如果有人知道如何通过CLI替换Prism Central/Prism Element中的证书,我也会感激。最初,只要找到要使用的正确证书格式,我就很高兴了。
图标

最佳答案Reinder2018年11月30日,15:28

\r\nTo answer your question, openssl is not needed to convert the certificates.
\r\nWhat is tricky is to get Nutanix to take the chain.pem, after some frustrating tries I got it to work like this:
\r\n
\r\n ncli ssl-certificate import certificate-path=\/full\/path\/to\/cert.pem cacertificate-path=\/full\/path\/to\/mychain.pem key-path=\/full\/path\/to\/privkey.pem key-type=\"RSA_2048\"
\r\n
\r\nWhere mychain.pem I created by combining https:\/\/letsencrypt.org\/certs\/letsencryptauthorityx3.pem.txt with https:\/\/letsencrypt.org\/certs\/isrgrootx1.pem.txt
\r\nSo cat letsencryptauthorityx3.pem.txt isrgrootx1.pem.txt > mychain.pem
\r\n
\r\nHope this helps someone,
\r\n
\r\nReinder - TriOpSys - NL","className":"post__content__best_answer"}">
查看原始
\r\n
\r\nI can request the wildcard certificates easily enough
\r\n
\r\nsudo certbot -d example.com -d *.example.com --manual --preferred-challenges dns-01 --server https:\/\/acme-v02.api.letsencrypt.org\/directory certonly
\r\n
\r\nI get generated three files:
\r\nprivkey = \/etc\/letsencrypt\/live\/example.com\/privkey.pem
\r\nchain = \/etc\/letsencrypt\/live\/example.com\/chain.pem
\r\nfullchain = \/etc\/letsencrypt\/live\/example.com\/fullchain.pem
\r\n
\r\nCan anyone advise what openssl commands I can use to convert these .pem files to the required format needed for Prism Central\/Prism Element? I have attempted multiple commands from https:\/\/www.sslsupportdesk.com\/openssl-commands\/ but I can't seem to find the exact one.
\r\n
\r\nI can also grab the intermediate\/root certificates from here if I need additional certs.
\r\nhttps:\/\/letsencrypt.org\/certificates\/
\r\n
\r\nI'm looking to ultimately find a way to script this process as well, so if anyone knows how to replace the certs in Prism Central\/Prism Element via CLI, I would appreciate that too. Initially though, I'd be happy just finding the correct certificate format to use.","quoteUsername":"trinitrotoluene","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
本主题已关闭供评论

11日回复

l
你好,

最好使用openssl来创建csr和密钥文件。将csr带到您的证书颁发机构,并对其进行签名。你可以从中得到一个pem。获取pem文件、密钥文件和根/ca包,并将其上传到prism控制台。

确保也使用SAN,否则浏览器会抱怨。
\r\n
\r\nBetter to use openssl to create the csr and the key file. Take the csr to your certificate authority and have it signed. You can get a pem from that. Take the pem file, key file, and the root\/ca bundle and upload it to your prism console.
\r\n
\r\nMake sure to use SAN as well or browsers will complain.","quoteUsername":"lapfcukle","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
三硝基甲苯
徽章
我很感谢@lapfcukle的响应,但这意味着我需要从CA购买证书。使用LetsEncrypt使我能够获得免费的、有效的证书。

我从LetsEncrypt获得有效的证书,我只需要知道如何将它们转换为Prism Central/Prism Element可以使用的格式。
\r\n
\r\nI get valid certificates from LetsEncrypt, I just need to know how to convert them to a format that Prism Central\/Prism Element can use.","quoteUsername":"trinitrotoluene","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
R
好吧,我把这个贴在这里,因为这是最高的帖子,如果你让nutanix prism加密的话。
要回答您的问题,不需要openssl来转换证书。
棘手的是让Nutanix拿走链条。pem,经过一些令人沮丧的尝试,我让它像这样工作:

Ncli ssl-certificate import certificate-path=/full/path/to/cert。pem cacertificate-path = /全/道路/ / mychain。pem关键路径= /全/道路/ / privkey。pem键式= " RSA_2048 "

mychain的地方。pem是我结合https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt和https://letsencrypt.org/certs/isrgrootx1.pem.txt创建的
所以cat letsencryptauthorityx3.pem.txt是rgrootx1.pem.txt > mychain.pem

希望这能帮助到一些人,

reder - TriOpSys - NL
\r\nTo answer your question, openssl is not needed to convert the certificates.
\r\nWhat is tricky is to get Nutanix to take the chain.pem, after some frustrating tries I got it to work like this:
\r\n
\r\n ncli ssl-certificate import certificate-path=\/full\/path\/to\/cert.pem cacertificate-path=\/full\/path\/to\/mychain.pem key-path=\/full\/path\/to\/privkey.pem key-type=\"RSA_2048\"
\r\n
\r\nWhere mychain.pem I created by combining https:\/\/letsencrypt.org\/certs\/letsencryptauthorityx3.pem.txt with https:\/\/letsencrypt.org\/certs\/isrgrootx1.pem.txt
\r\nSo cat letsencryptauthorityx3.pem.txt isrgrootx1.pem.txt > mychain.pem
\r\n
\r\nHope this helps someone,
\r\n
\r\nReinder - TriOpSys - NL","quoteUsername":"Reinder","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
omero.muscio
Userlevel 1
徽章 +2

就像一个更新安装SSL-Cert与让加密,我已经创建Certbot certonly选项,并将所有文件复制到cvm。

因为您已经得到了完整的chain文件,所以不需要将链文件合并在一起。
在我这边,它与我从letsencrypt获得的标准文件一起工作。

使用fullchain.pem-file作为cacercertificate -path !

这是所有


问候

Omero

少点点击,多点火锅!
Just as a update for installing a SSL-Cert with Lets Encrypt, i\u2019ve created the Certs with the Certbot certonly option and copy all the files to a cvm.<\/p>

As you get already the full-Chain file, it\u2019s not required to merge the chain-files together.
On my side it worked with the standart-files i get from letsencrypt.<\/p>

Use for the cacertificate-path the fullchain.pem-file!<\/p>

Thats all<\/p>


Greets<\/p>

Omero<\/p>","quoteUsername":"omero.muscio","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">

W
Userlevel 2
徽章 +5

我只是得到一个错误消息:

错误:写数据的问题,类java.util。LinkedList ContentType:多部分/格式

当试图用ncli ssl-certificate import…

I just get an error message:<\/p>
Error: Problem with writing the data, class java.util.LinkedList, ContentType: multipart\/form-data<\/code><\/pre>
when trying to load the certs in with ncli ssl-certificate import ...<\/p>","quoteUsername":"waddles","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
W
Userlevel 2
徽章 +5

这个错误在data/logs/prism_gateway.log中

INFO 2020-10-21 23:47:42,326Z http-nio-0.0.0.0-9081-exec-2 [] commands.keys.AddPemKey. INFOcheckCertPurpose:549 SSL服务器的目的值为“Yes”。
ERROR 2020-10-21 23:47:42,356Z http-nio-0.0.0.0-9081-exec-2 [] prism.aop.RequestInterceptor。调用:235从KeyAdministration.importFiles抛出异常
com.nutanix.prism.exception.keys.KeyAdministrationException: com.nutanix.util.base.ValidationException:导入文件验证失败。请上传有效的CA证书/链文件并选择相应的密钥类型。
com.nutanix.prism.services.keys.KeyAdministrationImpl.importFiles (KeyAdministrationImpl.java: 111)

但是需要选择RSA_2048密钥类型和有效的RSA 2048证书和CA链。

And this error in the data\/logs\/prism_gateway.log\u00a0<\/p>
INFO  2020-10-21 23:47:42,326Z http-nio-0.0.0.0-9081-exec-2 [] commands.keys.AddPemKey.checkCertPurpose:549 Purpose value for 'SSL server' is 'Yes'.
ERROR 2020-10-21 23:47:42,356Z http-nio-0.0.0.0-9081-exec-2 [] prism.aop.RequestInterceptor.invoke:235 Throwing exception from KeyAdministration.importFiles
com.nutanix.prism.exception.keys.KeyAdministrationException: com.nutanix.util.base.ValidationException: Import Files verification failed. Please upload a valid CA certificate\/chain file and select relevant key type.
        at com.nutanix.prism.services.keys.KeyAdministrationImpl.importFiles(KeyAdministrationImpl.java:111)<\/code><\/pre>
but that is with the RSA_2048 key type selected and a valid RSA 2048 certificate and CA chain.<\/p>","quoteUsername":"waddles","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
W
Userlevel 2
徽章 +5

测试后

Test post<\/p>","quoteUsername":"waddles","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
W
Userlevel 2
徽章 +5

我解决了这个问题,至少部分解决了。

我使用https://github.com/srvrco/getssl项目生成证书,它正在创建一个“全链”。其中只包含服务器证书和中间CA证书,但不包含根CA证书。pem文件,而我的中间CA签署了一个不同的证书。

我还没有成功用ncli替换certs。

\u200bOk I solved this, at least partially.<\/p>

I was using the\u00a0https:\/\/github.com\/srvrco\/getssl\u00a0project for generating the certs and it was creating a \u2018fullchain.crt\u2019 file which included only the server cert and intermediate CA cert, but not the root CA cert. Also Reinder\u2019s answer used the isgrootx1.pem file whereas my intermediate CA was signed with a different cert.<\/p>

I have not managed to replace the certs with\u00a0ncli yet.<\/p>","quoteUsername":"waddles","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">

W
Userlevel 2
徽章 +5

ncli在CE.2020.09.16版本中似乎坏了,我一直得到错误以上

然而,使用Prism使用的一个没有文档记录的v1 API调用,我已经能够安装带有curl的证书,如下所示

$ curl——user 'admin:password' \
- f caChain = @fullchain。crt \
- f cert = @server。crt \
- f键= @server。关键\
- f keyType = RSA_2048 \
- k https://127.0.0.1:9440 PrismGateway /服务/ rest / v1 /键/ pem /导入

fullchain的地方。crt包含PEM格式的中间CA证书和根CA证书。

Jonathant2
徽章 +1

你曾经得到进一步,有同样的问题与LetsEncrypt管理使用您的curl上面,并安装,然而似乎没有“发布”

Did you ever get further than this, having the same issue with LetsEncrypt managed to use your curl above, and its installed, however seemingly not \u201cpublished\u201d<\/p>","quoteUsername":"Jonathant2","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
Jonathant2
徽章 +1

秘籍……重启cvm(在我的例子中是单节点)…工作! !

Top tip... Reboot the cvm (single node in my case)... Job done !!<\/p>","quoteUsername":"Jonathant2","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
Baidu