解决了

使用Lets加密证书有关Prism Central&Prism Element

三位一胆碱
徽章
我希望用Lets加密通配符证书来替换我的Prism Central和Prism Element部署的SSL证书。

我可以很容易地要求通配符证书

sudo certbot -d example.com -d *.example.com -manual -preferred-challenges dns-01 -server https://acme-v02.api.letsencencrypt.org/directory certonlyly

我得到了生成的三个文件:
privkey = /etc/letsencrypt/live/example.com/privkey.pem
链= /etc/letsencrypt/live/example.com/chain.pem
FullChain = /etc/letsencrypt/live/example.com/fullchain.pem

谁能建议我可以使用哪些OpenSSL命令将这些.pem文件转换为Prism Central/Prism元素所需的格式?我尝试从https://www.sslsupportdesk.com/openssl-commands/尝试多个命令,但我似乎找不到确切的一个。

如果我需要其他证书,我还可以从这里获得中间/根证书。
https://letsencrypt.org/certificates/

我也希望最终找到一种脚本脚本的方法,因此,如果有人知道如何通过CLI替换Prism Central/Prism Element中的证书,我也很感激。不过,最初,我很高兴能找到正确的证书格式。
图标

最好的答案雷德2018年11月30日,15:28

\r\nTo answer your question, openssl is not needed to convert the certificates.
\r\nWhat is tricky is to get Nutanix to take the chain.pem, after some frustrating tries I got it to work like this:
\r\n
\r\n ncli ssl-certificate import certificate-path=\/full\/path\/to\/cert.pem cacertificate-path=\/full\/path\/to\/mychain.pem key-path=\/full\/path\/to\/privkey.pem key-type=\"RSA_2048\"
\r\n
\r\nWhere mychain.pem I created by combining https:\/\/letsencrypt.org\/certs\/letsencryptauthorityx3.pem.txt with https:\/\/letsencrypt.org\/certs\/isrgrootx1.pem.txt
\r\nSo cat letsencryptauthorityx3.pem.txt isrgrootx1.pem.txt > mychain.pem
\r\n
\r\nHope this helps someone,
\r\n
\r\nReinder - TriOpSys - NL","className":"post__content__best_answer"}">
查看原件
\r\n
\r\nI can request the wildcard certificates easily enough
\r\n
\r\nsudo certbot -d example.com -d *.example.com --manual --preferred-challenges dns-01 --server https:\/\/acme-v02.api.letsencrypt.org\/directory certonly
\r\n
\r\nI get generated three files:
\r\nprivkey = \/etc\/letsencrypt\/live\/example.com\/privkey.pem
\r\nchain = \/etc\/letsencrypt\/live\/example.com\/chain.pem
\r\nfullchain = \/etc\/letsencrypt\/live\/example.com\/fullchain.pem
\r\n
\r\nCan anyone advise what openssl commands I can use to convert these .pem files to the required format needed for Prism Central\/Prism Element? I have attempted multiple commands from https:\/\/www.sslsupportdesk.com\/openssl-commands\/ but I can't seem to find the exact one.
\r\n
\r\nI can also grab the intermediate\/root certificates from here if I need additional certs.
\r\nhttps:\/\/letsencrypt.org\/certificates\/
\r\n
\r\nI'm looking to ultimately find a way to script this process as well, so if anyone knows how to replace the certs in Prism Central\/Prism Element via CLI, I would appreciate that too. Initially though, I'd be happy just finding the correct certificate format to use.","quoteUsername":"trinitrotoluene","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
该主题已关闭以供评论

11个答复

l
你好,

最好使用OpenSSL创建CSR和密钥文件。将企业社会责任带到您的证书授权书并签名。您可以从中得到PEM。取PEM文件,密钥文件和root/ca捆绑包,然后将其上传到您的棱镜控制台。

确保也使用SAN或浏览器会抱怨。
\r\n
\r\nBetter to use openssl to create the csr and the key file. Take the csr to your certificate authority and have it signed. You can get a pem from that. Take the pem file, key file, and the root\/ca bundle and upload it to your prism console.
\r\n
\r\nMake sure to use SAN as well or browsers will complain.","quoteUsername":"lapfcukle","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
三位一胆碱
徽章
我感谢@lapfcukle的回应,但这意味着我需要去CA购买证书。使用LetSencrypt使我获得免费的有效证书。

我从Letsencrypt获得有效的证书,我只需要知道如何将它们转换为Prism/Prism元素可以使用的格式。
\r\n
\r\nI get valid certificates from LetsEncrypt, I just need to know how to convert them to a format that Prism Central\/Prism Element can use.","quoteUsername":"trinitrotoluene","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
r
好的,我会在这里发布此信息,因为如果您Google nutanix Prism letsencrypt,这是顶级帖子。
要回答您的问题,不需要OPENSL即可转换证书。
棘手的是让Nutanix乘坐链条。PEM,经过一些令人沮丧的尝试,我让它像这样工作了:

ncli ssl-certificate进口证书path =/fult/path/to/cert.pem cacertificate-path =/full/path/to/myChain.pem key-path =/full/path/to/priveke.pem键键type=“ RSA_2048”

我通过将https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt与https://letsencrypt.org/certs/isrgrootx1.pem.pem.pem.txt结合在一起而创建的mychain.pem。
因此,cat letsencryptauthorityx3.pem.txt isrgrootx1.pem.txt> myChain.pem

希望这对某人有帮助

Reinder -Triopsys -NL
\r\nTo answer your question, openssl is not needed to convert the certificates.
\r\nWhat is tricky is to get Nutanix to take the chain.pem, after some frustrating tries I got it to work like this:
\r\n
\r\n ncli ssl-certificate import certificate-path=\/full\/path\/to\/cert.pem cacertificate-path=\/full\/path\/to\/mychain.pem key-path=\/full\/path\/to\/privkey.pem key-type=\"RSA_2048\"
\r\n
\r\nWhere mychain.pem I created by combining https:\/\/letsencrypt.org\/certs\/letsencryptauthorityx3.pem.txt with https:\/\/letsencrypt.org\/certs\/isrgrootx1.pem.txt
\r\nSo cat letsencryptauthorityx3.pem.txt isrgrootx1.pem.txt > mychain.pem
\r\n
\r\nHope this helps someone,
\r\n
\r\nReinder - TriOpSys - NL","quoteUsername":"Reinder","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
Omero.Muscio
Userlevel 1
徽章 +2

就像使用Lets Encrypt安装SSL-CERT的更新一样,我已经创建了使用Certbot Certonly选项的证书,并将所有文件复制到CVM。

当您已经获得全链文件时,不需要将链文件合并在一起。
在我这一边,它与我从letsencrypt获得的Standart-Files一起使用。

用于fullChain.pem-file!

就这样


问候

Omero

更少的点击,更多的火锅!
Just as a update for installing a SSL-Cert with Lets Encrypt, i\u2019ve created the Certs with the Certbot certonly option and copy all the files to a cvm.<\/p>

As you get already the full-Chain file, it\u2019s not required to merge the chain-files together.
On my side it worked with the standart-files i get from letsencrypt.<\/p>

Use for the cacertificate-path the fullchain.pem-file!<\/p>

Thats all<\/p>


Greets<\/p>

Omero<\/p>","quoteUsername":"omero.muscio","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">

w
UserLevel 2
徽章 +5

我只收到一条错误消息:

错误:编写数据的问题,类Java.util.linkedlist,ContentType:Multipart/form-data

试图加载证书使用NCLI SSL-Certificate Import ...

I just get an error message:<\/p>
Error: Problem with writing the data, class java.util.LinkedList, ContentType: multipart\/form-data<\/code><\/pre>
when trying to load the certs in with ncli ssl-certificate import ...<\/p>","quoteUsername":"waddles","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
w
UserLevel 2
徽章 +5

以及数据/logs/prism_gateway.log中的此错误

信息2020-10-21 23:47:42,326Z http-nio-0.0.0.0.0.0.0.0.0.0.0.0-9081-exec-2 [] commands.keys.addpemkey.checkcertpuropose:549'ssl Server的目的值'是'yes'yes'。
错误2020-10-21 23:47:42,356Z http-nio-0.0.0.0.0.0.0.0.0.0-9081-exec-2 [] prism.aop.requestinterceptor.invoke:235从keyadministration.importfiles中投掷例外
com.nutanix.prism.exception.keys.KeyAdministrationException:com.nutanix.util.base.base.validationexception:导入文件验证失败。请上传有效的CA证书/链文件,然后选择相关的密钥类型。
在com.nutanix.prism.services.keys.keyadministrationimpl.importfiles(KeyAdministrationImpl.java:111)

但这就是选择的RSA_2048键类型以及有效的RSA 2048证书和CA链。

And this error in the data\/logs\/prism_gateway.log\u00a0<\/p>
INFO  2020-10-21 23:47:42,326Z http-nio-0.0.0.0-9081-exec-2 [] commands.keys.AddPemKey.checkCertPurpose:549 Purpose value for 'SSL server' is 'Yes'.
ERROR 2020-10-21 23:47:42,356Z http-nio-0.0.0.0-9081-exec-2 [] prism.aop.RequestInterceptor.invoke:235 Throwing exception from KeyAdministration.importFiles
com.nutanix.prism.exception.keys.KeyAdministrationException: com.nutanix.util.base.ValidationException: Import Files verification failed. Please upload a valid CA certificate\/chain file and select relevant key type.
        at com.nutanix.prism.services.keys.KeyAdministrationImpl.importFiles(KeyAdministrationImpl.java:111)<\/code><\/pre>
but that is with the RSA_2048 key type selected and a valid RSA 2048 certificate and CA chain.<\/p>","quoteUsername":"waddles","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
w
UserLevel 2
徽章 +5

测试职位

Test post<\/p>","quoteUsername":"waddles","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
w
UserLevel 2
徽章 +5

好的,我至少部分解决了这个问题。

我正在使用https://github.com/srvrco/getssl project生成证书,并且正在创建一个“ fullChain.crt”文件,该文件仅包括服务器证书和中间CA CERT,但不包括Root Ca Cert。另外,Reinder的答案使用了ISGROOTX1.PEM文件,而我的中级CA则以不同的证书签名。

我尚未设法用NCLI替换证书。

\u200bOk I solved this, at least partially.<\/p>

I was using the\u00a0https:\/\/github.com\/srvrco\/getssl\u00a0project for generating the certs and it was creating a \u2018fullchain.crt\u2019 file which included only the server cert and intermediate CA cert, but not the root CA cert. Also Reinder\u2019s answer used the isgrootx1.pem file whereas my intermediate CA was signed with a different cert.<\/p>

I have not managed to replace the certs with\u00a0ncli yet.<\/p>","quoteUsername":"waddles","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">

w
UserLevel 2
徽章 +5

NCLI在CE.2020.09.16版本中似乎破坏了,我一直在遇到错误以上

但是,使用Prism使用的无证件的V1 API调用,我能够使用卷发安装证书如下

$ curl  - 用户'管理员:密码'\
-f cachain=@fullchain.crt \
-f cert =@server.crt \
-f key=@server.key \
-f keytype = rsa_2048 \
-k https://127.0.0.1:9440/prismgateway/services/rest/v1/keys/pem/import

其中fullchain.crt以PEM格式包含中间CA证书和根CA证书。

Jonathant2
徽章 +1

您是否远远超过了这一点,Letsencrypt设法使用了您的卷发,并安装了它,但似乎并未“发布”

Did you ever get further than this, having the same issue with LetsEncrypt managed to use your curl above, and its installed, however seemingly not \u201cpublished\u201d<\/p>","quoteUsername":"Jonathant2","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
Jonathant2
徽章 +1

最重要的提示...重新启动CVM(在我的情况下,单个节点)...工作完成!

Top tip... Reboot the cvm (single node in my case)... Job done !!<\/p>","quoteUsername":"Jonathant2","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
Baidu