解决了

使用Lets加密棱镜中央和棱镜元素的证书

  • 2018年4月17日
  • 11回复
  • 2364次观点
Trinittoluene.
徽章
我希望用允许加密通配符证书替换我的棱镜中央和棱镜元素部署的SSL证书。

我可以容易地要求通配符证书

sudo certbot -d example.com -d * .example.com - 批量--preferred-挑战DNS-01 -Server HTTPS://acme-v02.api.letsencrypt.org/directory certonly

我生成了三个文件:
privkey = /etc/letsencrypt/live/example.com/privkey.pem.
链= /etc/letsencrypt/live/example.com/chain.pem.
fullchain = /etc/letsencrypt/live/example.com/fullchain.pem.

任何人都可以建议openssl命令我可以用来将这些.pem文件转换为棱镜中央/棱镜元素所需的所需格式吗?我从https://www.slsupportdesk.com/openssl-commands/尝试了多个命令,但我似乎无法找到确切的命令。

如果我需要额外的证书,我也可以从这里获取中间/根证书。
https://letsencrypt.org/certificates/

我希望最终找到一种方法来脚本这个过程,所以如果有人知道如何通过CLI替换棱镜中央/棱镜元素的证明,我也会很欣赏。但最初,我很高兴找到正确的证书格式。
图标

最好的答案reinder.2018年11月30日,15:28

\r\nTo answer your question, openssl is not needed to convert the certificates.
\r\nWhat is tricky is to get Nutanix to take the chain.pem, after some frustrating tries I got it to work like this:
\r\n
\r\n ncli ssl-certificate import certificate-path=\/full\/path\/to\/cert.pem cacertificate-path=\/full\/path\/to\/mychain.pem key-path=\/full\/path\/to\/privkey.pem key-type=\"RSA_2048\"
\r\n
\r\nWhere mychain.pem I created by combining https:\/\/letsencrypt.org\/certs\/letsencryptauthorityx3.pem.txt with https:\/\/letsencrypt.org\/certs\/isrgrootx1.pem.txt
\r\nSo cat letsencryptauthorityx3.pem.txt isrgrootx1.pem.txt > mychain.pem
\r\n
\r\nHope this helps someone,
\r\n
\r\nReinder - TriOpSys - NL","className":"post__content__best_answer"}">
查看原版
\r\n
\r\nI can request the wildcard certificates easily enough
\r\n
\r\nsudo certbot -d example.com -d *.example.com --manual --preferred-challenges dns-01 --server https:\/\/acme-v02.api.letsencrypt.org\/directory certonly
\r\n
\r\nI get generated three files:
\r\nprivkey = \/etc\/letsencrypt\/live\/example.com\/privkey.pem
\r\nchain = \/etc\/letsencrypt\/live\/example.com\/chain.pem
\r\nfullchain = \/etc\/letsencrypt\/live\/example.com\/fullchain.pem
\r\n
\r\nCan anyone advise what openssl commands I can use to convert these .pem files to the required format needed for Prism Central\/Prism Element? I have attempted multiple commands from https:\/\/www.sslsupportdesk.com\/openssl-commands\/ but I can't seem to find the exact one.
\r\n
\r\nI can also grab the intermediate\/root certificates from here if I need additional certs.
\r\nhttps:\/\/letsencrypt.org\/certificates\/
\r\n
\r\nI'm looking to ultimately find a way to script this process as well, so if anyone knows how to replace the certs in Prism Central\/Prism Element via CLI, I would appreciate that too. Initially though, I'd be happy just finding the correct certificate format to use.","quoteUsername":"trinitrotoluene","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
此主题已关闭征询意见

11回复

L.
你好,

更好地使用openssl创建CSR和密钥文件。将CSR带到您的证书颁发机构,并签署。你可以得到一个pem。拍摄PEM文件,键文件和root / CA捆绑并将其上传到棱镜控制台。

确保使用SAN或浏览器会抱怨。
\r\n
\r\nBetter to use openssl to create the csr and the key file. Take the csr to your certificate authority and have it signed. You can get a pem from that. Take the pem file, key file, and the root\/ca bundle and upload it to your prism console.
\r\n
\r\nMake sure to use SAN as well or browsers will complain.","quoteUsername":"lapfcukle","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
Trinittoluene.
徽章
我很欣赏响应@lapfcukle,但这意味着我需要从加利福尼亚州购买证书。使用Letsencrypt使我能够获得免费的有效证书。

我从LetSencrypt获取有效证书,我只需要知道如何将它们转换为棱镜中央/棱镜元素可以使用的格式。
\r\n
\r\nI get valid certificates from LetsEncrypt, I just need to know how to convert them to a format that Prism Central\/Prism Element can use.","quoteUsername":"trinitrotoluene","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
R.
好的,如果你谷歌Nutanix Prism Letsencrypt,那么我会在这里发布这篇文章。
要回答您的问题,不需要OpenSSL来转换证书。
什么是棘手的是让Nutanix带领链条.Pem,经过一些令人沮丧的尝试,我把它搞定了这样的工作:

ncli ssl-certions导入证书 - path = / full / path / to / cert.pem cacertificate-path = / full / path / to / mychain.pem key-path = / full / path / to / privkey.pem键类型=“RSA_2048”

mychain。我通过组合https://letsencrypt.orgorityx3.pem.txt与https://letsencrypt.org/certs/srgrootx1.pem.txt来组合https://letsencrypt.orgorityx3.pem.txt。
所以cat letsencryptauthorityx3.pem.txt isrgrootx1.pem.txt> mychain.pem

希望这有助于某人,

reinder - tripsys - nl
\r\nTo answer your question, openssl is not needed to convert the certificates.
\r\nWhat is tricky is to get Nutanix to take the chain.pem, after some frustrating tries I got it to work like this:
\r\n
\r\n ncli ssl-certificate import certificate-path=\/full\/path\/to\/cert.pem cacertificate-path=\/full\/path\/to\/mychain.pem key-path=\/full\/path\/to\/privkey.pem key-type=\"RSA_2048\"
\r\n
\r\nWhere mychain.pem I created by combining https:\/\/letsencrypt.org\/certs\/letsencryptauthorityx3.pem.txt with https:\/\/letsencrypt.org\/certs\/isrgrootx1.pem.txt
\r\nSo cat letsencryptauthorityx3.pem.txt isrgrootx1.pem.txt > mychain.pem
\r\n
\r\nHope this helps someone,
\r\n
\r\nReinder - TriOpSys - NL","quoteUsername":"Reinder","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
omero.muscio.
UserLevel 1.
徽章 +2

正如使用Lets加密安装SSL-Cert的更新,我创建了Certbot Certonly选项的证书,并将所有文件复制到CVM。

当您已经完成了全链文件时,它不需要将链文件合并在一起。
在我的一边,它与我从Letsencrypt的Standart文件合作。

用于CARERTICETE-PATH全文.PEM-FILE!

就这样


迎接

Omero.

少咔哒声,更多火锅!
Just as a update for installing a SSL-Cert with Lets Encrypt, i\u2019ve created the Certs with the Certbot certonly option and copy all the files to a cvm.<\/p>

As you get already the full-Chain file, it\u2019s not required to merge the chain-files together.
On my side it worked with the standart-files i get from letsencrypt.<\/p>

Use for the cacertificate-path the fullchain.pem-file!<\/p>

Thats all<\/p>


Greets<\/p>

Omero<\/p>","quoteUsername":"omero.muscio","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">

W.
UserLevel 2.
徽章 +5

我刚收到错误消息:

错误:写入数据的问题,类java.util.linkedlist,contentType:multipart / form-data

尝试使用NCLI SSL证书导入加载Certs时...

I just get an error message:<\/p>
Error: Problem with writing the data, class java.util.LinkedList, ContentType: multipart\/form-data<\/code><\/pre>
when trying to load the certs in with ncli ssl-certificate import ...<\/p>","quoteUsername":"waddles","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
W.
UserLevel 2.
徽章 +5

在数据/日志/ prism_gateway.log中存在此错误

INFO 2020-10-21 23:47:42,326z http-nio-0.0.0.0-9081-ex-2 [] commands.keys.addpemkey.checkcertpurpose:'ssl server'的目的值是'是'。
错误2020-10-21 23:47:42,356z http-nio-0.0.0.0-9081-ex-2 [] prism.aop.requestinterceptor.invoke:235从keyAdministration.importfiles投掷异常
com.nutanix.prism.exception.keys.key.keyAdministrationException:com.nutanix.util.base.validationException:导入文件验证失败。请上传有效的CA证书/链文件并选择相关的关键类型。
在com.nutanix.prism.services.keys.keyadministrationimpl.importfiles(keyadministrationimpl.java:111)

但这与RSA_2048密钥类型选择以及有效的RSA 2048证书和CA链。

And this error in the data\/logs\/prism_gateway.log\u00a0<\/p>
INFO  2020-10-21 23:47:42,326Z http-nio-0.0.0.0-9081-exec-2 [] commands.keys.AddPemKey.checkCertPurpose:549 Purpose value for 'SSL server' is 'Yes'.
ERROR 2020-10-21 23:47:42,356Z http-nio-0.0.0.0-9081-exec-2 [] prism.aop.RequestInterceptor.invoke:235 Throwing exception from KeyAdministration.importFiles
com.nutanix.prism.exception.keys.KeyAdministrationException: com.nutanix.util.base.ValidationException: Import Files verification failed. Please upload a valid CA certificate\/chain file and select relevant key type.
        at com.nutanix.prism.services.keys.KeyAdministrationImpl.importFiles(KeyAdministrationImpl.java:111)<\/code><\/pre>
but that is with the RSA_2048 key type selected and a valid RSA 2048 certificate and CA chain.<\/p>","quoteUsername":"waddles","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
W.
UserLevel 2.
徽章 +5

测试帖子

Test post<\/p>","quoteUsername":"waddles","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
W.
UserLevel 2.
徽章 +5

好的,我至少部分解决了这一点。

我使用https://github.com/srvrco/getssl项目来生成证书,它正在创建一个'fullchain.crt'文件,该文件仅包括服务器证书和中间CA Cert,但不是根CA Cert。Reinder的答案也使用了iSGrootX1.PEM文件,而我的中间CA是用不同的证书签名。

我还没有设法用NCLI取代证书。

\u200bOk I solved this, at least partially.<\/p>

I was using the\u00a0https:\/\/github.com\/srvrco\/getssl\u00a0project for generating the certs and it was creating a \u2018fullchain.crt\u2019 file which included only the server cert and intermediate CA cert, but not the root CA cert. Also Reinder\u2019s answer used the isgrootx1.pem file whereas my intermediate CA was signed with a different cert.<\/p>

I have not managed to replace the certs with\u00a0ncli yet.<\/p>","quoteUsername":"waddles","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">

W.
UserLevel 2.
徽章 +5

NCLI似乎在CE.2020.09.16版本中断,我一直拿到错误多于

但是,使用未记录的V1 API调用棱镜使用,我已经能够使用卷曲安装证书如下

$ curl -User'admin:password'\
-f cachain=@fullchain.crt \
-f cert=@server.crt \
-f key =@server.key \
-f keytype = rsa_2048 \
-k https://127.0.0.1:9440/prismgateway/services/rest/v1/keys/pem/import.

HullChain.crt在PEM格式中包含中间和根CA证书。

Jonathant2.
徽章 +1

你有没有比这更好的方式,让Letsencrypt设法使用上面的卷曲以及它安装的同样的问题,然而看似看似“发表”

Did you ever get further than this, having the same issue with LetsEncrypt managed to use your curl above, and its installed, however seemingly not \u201cpublished\u201d<\/p>","quoteUsername":"Jonathant2","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
Jonathant2.
徽章 +1

顶级提示...重新引导CVM(我的情况下单个节点)......完成工作!!

Top tip... Reboot the cvm (single node in my case)... Job done !!<\/p>","quoteUsername":"Jonathant2","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
Baidu