解决了

使用Lets加密棱镜中央和棱镜元素的证书

  • 2018年4月17日
  • 11回复
  • 2375次观点
Trinittoluene.
徽章
我希望用允许加密通配符证书替换我的棱镜中央和棱镜元素部署的SSL证书。

我可以很容易地请求通配符证书

sudo certbot -d example.com -d * .example.com - 批量--preferred-挑战DNS-01 -Server HTTPS://acme-v02.api.letsencrypt.org/directory certonly

我生成了三个文件:
privkey = /etc/letsencrypt/live/example.com/privkey.pem.
链= /etc/letsencrypt/live/example.com/chain.pem.
fullchain = /etc/letsencrypt/live/example.com/fullchain.pem.

任何人都可以建议openssl命令我可以用来将这些.pem文件转换为棱镜中央/棱镜元素所需的所需格式吗?我从https://www.slsupportdesk.com/openssl-commands/尝试了多个命令,但我似乎无法找到确切的命令。

如果需要其他证书,还可以从这里获取中间/根证书。
https://letsencrypt.org/certificates/

我希望最终找到一种方法来脚本这个过程,所以如果有人知道如何通过CLI替换棱镜中央/棱镜元素的证明,我也会很欣赏。但最初,我很高兴找到正确的证书格式。
图标

最好的答案reinder.2018年11月30日,15:28

\r\nTo answer your question, openssl is not needed to convert the certificates.
\r\nWhat is tricky is to get Nutanix to take the chain.pem, after some frustrating tries I got it to work like this:
\r\n
\r\n ncli ssl-certificate import certificate-path=\/full\/path\/to\/cert.pem cacertificate-path=\/full\/path\/to\/mychain.pem key-path=\/full\/path\/to\/privkey.pem key-type=\"RSA_2048\"
\r\n
\r\nWhere mychain.pem I created by combining https:\/\/letsencrypt.org\/certs\/letsencryptauthorityx3.pem.txt with https:\/\/letsencrypt.org\/certs\/isrgrootx1.pem.txt
\r\nSo cat letsencryptauthorityx3.pem.txt isrgrootx1.pem.txt > mychain.pem
\r\n
\r\nHope this helps someone,
\r\n
\r\nReinder - TriOpSys - NL","className":"post__content__best_answer"}">
查看原版
\r\n
\r\nI can request the wildcard certificates easily enough
\r\n
\r\nsudo certbot -d example.com -d *.example.com --manual --preferred-challenges dns-01 --server https:\/\/acme-v02.api.letsencrypt.org\/directory certonly
\r\n
\r\nI get generated three files:
\r\nprivkey = \/etc\/letsencrypt\/live\/example.com\/privkey.pem
\r\nchain = \/etc\/letsencrypt\/live\/example.com\/chain.pem
\r\nfullchain = \/etc\/letsencrypt\/live\/example.com\/fullchain.pem
\r\n
\r\nCan anyone advise what openssl commands I can use to convert these .pem files to the required format needed for Prism Central\/Prism Element? I have attempted multiple commands from https:\/\/www.sslsupportdesk.com\/openssl-commands\/ but I can't seem to find the exact one.
\r\n
\r\nI can also grab the intermediate\/root certificates from here if I need additional certs.
\r\nhttps:\/\/letsencrypt.org\/certificates\/
\r\n
\r\nI'm looking to ultimately find a way to script this process as well, so if anyone knows how to replace the certs in Prism Central\/Prism Element via CLI, I would appreciate that too. Initially though, I'd be happy just finding the correct certificate format to use.","quoteUsername":"trinitrotoluene","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
此主题已关闭征询意见

11回复

L.
你好,

更好地使用openssl创建CSR和密钥文件。将CSR带到您的证书颁发机构,并签署。你可以得到一个pem。拍摄PEM文件,键文件和root / CA捆绑并将其上传到棱镜控制台。

确保使用SAN或浏览器会抱怨。
\r\n
\r\nBetter to use openssl to create the csr and the key file. Take the csr to your certificate authority and have it signed. You can get a pem from that. Take the pem file, key file, and the root\/ca bundle and upload it to your prism console.
\r\n
\r\nMake sure to use SAN as well or browsers will complain.","quoteUsername":"lapfcukle","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
Trinittoluene.
徽章
我很感谢@lapfcukle的响应,但这意味着我需要从CA购买证书。使用LetsEncrypt使我能够获得免费的、有效的证书。

我从LetSencrypt获取有效证书,我只需要知道如何将它们转换为棱镜中央/棱镜元素可以使用的格式。
\r\n
\r\nI get valid certificates from LetsEncrypt, I just need to know how to convert them to a format that Prism Central\/Prism Element can use.","quoteUsername":"trinitrotoluene","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
R.
好的,如果你谷歌Nutanix Prism Letsencrypt,那么我会在这里发布这篇文章。
要回答您的问题,不需要OpenSSL来转换证书。
什么是棘手的是让Nutanix带领链条.Pem,经过一些令人沮丧的尝试,我把它搞定了这样的工作:

Ncli ssl-certificate import certificate-path=/full/path/to/cert。pem cacertificate-path = /全/道路/ / mychain。pem关键路径= /全/道路/ / privkey。pem键式= " RSA_2048 "

mychain的地方。pem是我结合https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt和https://letsencrypt.org/certs/isrgrootx1.pem.txt创建的
所以cat letsencryptauthorityx3.pem.txt是rgrootx1.pem.txt > mychain.pem

希望这有助于某人,

reder - TriOpSys - NL
\r\nTo answer your question, openssl is not needed to convert the certificates.
\r\nWhat is tricky is to get Nutanix to take the chain.pem, after some frustrating tries I got it to work like this:
\r\n
\r\n ncli ssl-certificate import certificate-path=\/full\/path\/to\/cert.pem cacertificate-path=\/full\/path\/to\/mychain.pem key-path=\/full\/path\/to\/privkey.pem key-type=\"RSA_2048\"
\r\n
\r\nWhere mychain.pem I created by combining https:\/\/letsencrypt.org\/certs\/letsencryptauthorityx3.pem.txt with https:\/\/letsencrypt.org\/certs\/isrgrootx1.pem.txt
\r\nSo cat letsencryptauthorityx3.pem.txt isrgrootx1.pem.txt > mychain.pem
\r\n
\r\nHope this helps someone,
\r\n
\r\nReinder - TriOpSys - NL","quoteUsername":"Reinder","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
omero.muscio.
UserLevel 1.
徽章 +2

就像一个更新安装SSL-Cert与让加密,我已经创建Certbot certonly选项,并将所有文件复制到cvm。

当您已经完成了全链文件时,它不需要将链文件合并在一起。
在我这边,它与我从letsencrypt获得的标准文件一起工作。

用于CARERTICETE-PATH全文.PEM-FILE!

就这样


迎接

Omero.

少咔哒声,更多火锅!
Just as a update for installing a SSL-Cert with Lets Encrypt, i\u2019ve created the Certs with the Certbot certonly option and copy all the files to a cvm.<\/p>

As you get already the full-Chain file, it\u2019s not required to merge the chain-files together.
On my side it worked with the standart-files i get from letsencrypt.<\/p>

Use for the cacertificate-path the fullchain.pem-file!<\/p>

Thats all<\/p>


Greets<\/p>

Omero<\/p>","quoteUsername":"omero.muscio","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">

W.
UserLevel 2.
徽章 +5

我只是得到一个错误消息:

错误:写数据的问题,类java.util。LinkedList ContentType:多部分/格式

尝试使用NCLI SSL证书导入加载Certs时...

I just get an error message:<\/p>
Error: Problem with writing the data, class java.util.LinkedList, ContentType: multipart\/form-data<\/code><\/pre>
when trying to load the certs in with ncli ssl-certificate import ...<\/p>","quoteUsername":"waddles","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
W.
UserLevel 2.
徽章 +5

在数据/日志/ prism_gateway.log中存在此错误

INFO 2020-10-21 23:47:42,326z http-nio-0.0.0.0-9081-ex-2 [] commands.keys.addpemkey.checkcertpurpose:'ssl server'的目的值是'是'。
错误2020-10-21 23:47:42,356z http-nio-0.0.0.0-9081-ex-2 [] prism.aop.requestinterceptor.invoke:235从keyAdministration.importfiles投掷异常
com.nutanix.prism.exception.keys.key.keyAdministrationException:com.nutanix.util.base.validationException:导入文件验证失败。请上传有效的CA证书/链文件并选择相关的关键类型。
在com.nutanix.prism.services.keys.keyadministrationimpl.importfiles(keyadministrationimpl.java:111)

但这与RSA_2048密钥类型选择以及有效的RSA 2048证书和CA链。

And this error in the data\/logs\/prism_gateway.log\u00a0<\/p>
INFO  2020-10-21 23:47:42,326Z http-nio-0.0.0.0-9081-exec-2 [] commands.keys.AddPemKey.checkCertPurpose:549 Purpose value for 'SSL server' is 'Yes'.
ERROR 2020-10-21 23:47:42,356Z http-nio-0.0.0.0-9081-exec-2 [] prism.aop.RequestInterceptor.invoke:235 Throwing exception from KeyAdministration.importFiles
com.nutanix.prism.exception.keys.KeyAdministrationException: com.nutanix.util.base.ValidationException: Import Files verification failed. Please upload a valid CA certificate\/chain file and select relevant key type.
        at com.nutanix.prism.services.keys.KeyAdministrationImpl.importFiles(KeyAdministrationImpl.java:111)<\/code><\/pre>
but that is with the RSA_2048 key type selected and a valid RSA 2048 certificate and CA chain.<\/p>","quoteUsername":"waddles","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
W.
UserLevel 2.
徽章 +5

测试后

Test post<\/p>","quoteUsername":"waddles","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
W.
UserLevel 2.
徽章 +5

好的,我至少部分解决了这一点。

我使用https://github.com/srvrco/getssl项目生成证书,它正在创建一个“全链”。其中只包含服务器证书和中间CA证书,但不包含根CA证书。pem文件,而我的中间CA签署了一个不同的证书。

我还没有成功用ncli替换certs。

\u200bOk I solved this, at least partially.<\/p>

I was using the\u00a0https:\/\/github.com\/srvrco\/getssl\u00a0project for generating the certs and it was creating a \u2018fullchain.crt\u2019 file which included only the server cert and intermediate CA cert, but not the root CA cert. Also Reinder\u2019s answer used the isgrootx1.pem file whereas my intermediate CA was signed with a different cert.<\/p>

I have not managed to replace the certs with\u00a0ncli yet.<\/p>","quoteUsername":"waddles","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">

W.
UserLevel 2.
徽章 +5

NCLI似乎在CE.2020.09.16版本中断,我一直拿到错误多于

但是,使用未记录的V1 API调用棱镜使用,我已经能够使用卷曲安装证书如下

$ curl -User'admin:password'\
- f caChain = @fullchain。crt \
-f cert=@server.crt \
-f key =@server.key \
-f keytype = rsa_2048 \
- k https://127.0.0.1:9440 PrismGateway /服务/ rest / v1 /键/ pem /导入

HullChain.crt在PEM格式中包含中间和根CA证书。

Jonathant2
徽章 +1

你曾经得到进一步,有同样的问题与LetsEncrypt管理使用您的curl上面,并安装,然而似乎没有“发布”

Did you ever get further than this, having the same issue with LetsEncrypt managed to use your curl above, and its installed, however seemingly not \u201cpublished\u201d<\/p>","quoteUsername":"Jonathant2","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
Jonathant2
徽章 +1

秘籍……重启cvm(在我的例子中是单节点)…工作! !

Top tip... Reboot the cvm (single node in my case)... Job done !!<\/p>","quoteUsername":"Jonathant2","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
Baidu