Я пытаюсь установить etcd на моем кластере CoreOS с помощью TLS ... и чертовски провожу время.
Я просмотрел разные руководства, сгенерировал как клиентские, так и одноранговые сертификаты и ключи.
etcd не запускается, и в journalctl я получаю следующее (IP-адреса и токен запутаны):
Dec 16 00:05:12 coreos-123.123.123.123 systemd[1]: Starting etcd2...
-- Subject: Unit etcd2.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit etcd2.service has begun starting up.
Dec 16 00:05:12 coreos-123.123.123.123 etcd2[822]: recognized and used environment variable ETCD_ADVERTISE_CLIENT_URLS=http://123.123.123.123:2379
Dec 16 00:05:12 coreos-123.123.123.123 etcd2[822]: recognized and used environment variable ETCD_CERT_FILE=/etc/ssl/etcd/etcd-client123.123.123.123.cert.pem
Dec 16 00:05:12 coreos-123.123.123.123 etcd2[822]: recognized and used environment variable ETCD_CLIENT_CERT_AUTH=true
Dec 16 00:05:12 coreos-123.123.123.123 etcd2[822]: recognized and used environment variable ETCD_DATA_DIR=/var/lib/etcd2
Dec 16 00:05:12 coreos-123.123.123.123 etcd2[822]: recognized and used environment variable ETCD_DISCOVERY=https://discovery.etcd.io/xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Dec 16 00:05:12 coreos-123.123.123.123 etcd2[822]: recognized and used environment variable ETCD_INITIAL_ADVERTISE_PEER_URLS=http://123.123.123.123:2380
Dec 16 00:05:12 coreos-123.123.123.123 etcd2[822]: recognized and used environment variable ETCD_KEY_FILE=/etc/ssl/etcd/private/etcd-client123.123.123.123.key.pem
Dec 16 00:05:12 coreos-123.123.123.123 etcd2[822]: recognized and used environment variable ETCD_LISTEN_CLIENT_URLS=http://0.0.0.0:2379,http://0.0.0.0:4001
Dec 16 00:05:12 coreos-123.123.123.123 etcd2[822]: recognized and used environment variable ETCD_LISTEN_PEER_URLS=http://123.123.123.123:2380,http://123.123.123.123:7001
Dec 16 00:05:12 coreos-123.123.123.123 etcd2[822]: recognized and used environment variable ETCD_NAME=yyyyyyyyyyyyyyyyyyyyyyyyyy
Dec 16 00:05:12 coreos-123.123.123.123 etcd2[822]: recognized and used environment variable ETCD_PEER_CERT_FILE=/etc/ssl/etcd/etcd-peer123.123.123.123.cert.pem
Dec 16 00:05:12 coreos-123.123.123.123 etcd2[822]: recognized and used environment variable ETCD_PEER_CLIENT_CERT_AUTH=true
Dec 16 00:05:12 coreos-123.123.123.123 etcd2[822]: recognized and used environment variable ETCD_PEER_KEY_FILE=/etc/ssl/etcd/private/etcd-peer123.123.123.123.key.pem
Dec 16 00:05:12 coreos-123.123.123.123 etcd2[822]: recognized and used environment variable ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/certs/ca-chain.cert.pem
Dec 16 00:05:12 coreos-123.123.123.123 etcd2[822]: recognized and used environment variable ETCD_TRUSTED_CA_FILE=/etc/ssl/certs/ca-chain.cert.pem
Dec 16 00:05:12 coreos-123.123.123.123 etcd2[822]: etcd Version: 2.2.0
Dec 16 00:05:12 coreos-123.123.123.123 etcd2[822]: Git SHA: e4561dd
Dec 16 00:05:12 coreos-123.123.123.123 etcd2[822]: Go Version: go1.4.2
Dec 16 00:05:12 coreos-123.123.123.123 etcd2[822]: Go OS/Arch: linux/amd64
Dec 16 00:05:12 coreos-123.123.123.123 etcd2[822]: setting maximum number of CPUs to 1, total number of available CPUs is 4
Dec 16 00:05:12 coreos-123.123.123.123 etcd2[822]: the server is already initialized as member before, starting as etcd member...
Dec 16 00:05:12 coreos-123.123.123.123 systemd[1]: etcd2.service: Main process exited, code=exited, status=1/FAILURE
Dec 16 00:05:12 coreos-123.123.123.123 systemd[1]: Failed to start etcd2.
-- Subject: Unit etcd2.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit etcd2.service has failed.
--
-- The result is failed.
Dec 16 00:05:12 coreos-123.123.123.123 systemd[1]: etcd2.service: Unit entered failed state.
Dec 16 00:05:12 coreos-123.123.123.123 systemd[1]: etcd2.service: Failed with result 'exit-code'.
У меня есть сертификаты и ключи в нужных папках. Я почти уверен, что с разрешениями все в порядке. Сертификаты имеют расширения для clientAuth, serverAuth (для однорангового сертификата) и clientAuth (для клиента), а также для SAN с IP-адресом узла.
Данные сертификата клиента:
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, S/MIME
Netscape Comment:
OpenSSL Generated Client Certificate
X509v3 Subject Key Identifier:
X509v3 Authority Key Identifier:
keyid:
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, E-mail Protection
X509v3 Subject Alternative Name:
IP Address:127.0.0.1, IP Address:123.123.123.123
Данные однорангового сертификата:
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Server Certificate
X509v3 Subject Key Identifier:
X509v3 Authority Key Identifier:
keyid:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
IP Address:127.0.0.1, IP Address:123.123.123.123
что еще мне здесь не хватает? в этом журнале нет ничего, что могло бы объяснить сбой.
Моя цель - иметь аутентификацию TLS для клиентов и одноранговых узлов, как в общедоступном облаке. PS: без TLS все работало нормально. Я добавил только сертификаты и 8 флагов TLS:
# client flags
trusted-ca-file: /etc/ssl/certs/ca-chain.cert.pem
cert-file: /etc/ssl/etcd/etcd-client$public_ipv4.cert.pem
key-file: /etc/ssl/etcd/private/etcd-client$public_ipv4.key.pem
client-cert-auth: true
# peer flags
peer-trusted-ca-file: /etc/ssl/certs/ca-chain.cert.pem
peer-cert-file: /etc/ssl/etcd/etcd-peer$public_ipv4.cert.pem
peer-key-file: /etc/ssl/etcd/private/etcd-peer$public_ipv4.key.pem
peer-client-cert-auth: true
Тег $ public_ipv4 переводится правильно, очевидно, поскольку IP-адрес отображается в журналах.
Я просто не могу сказать, в чем проблема, так как журналы мало что говорят.
Есть идеи указать мне правильное направление?
Спасибо
