Https hashicorp保险库:“保险库”;初始化tcp类型的侦听器时出错:加载TLS证书时出错;我的错在哪里?
我尝试在虚拟机ubuntu 20.04(ip:192.168.56.9)上使用docker compose运行Vault。如果没有https,它已经可以正常工作了,但是当我尝试使用openssl的自签名证书将vault放入https时,它就不起作用了 以下是我的配置: docker compose.yml:Https hashicorp保险库:“保险库”;初始化tcp类型的侦听器时出错:加载TLS证书时出错;我的错在哪里?,https,docker-compose,openssl,hashicorp-vault,vault,Https,Docker Compose,Openssl,Hashicorp Vault,Vault,我尝试在虚拟机ubuntu 20.04(ip:192.168.56.9)上使用docker compose运行Vault。如果没有https,它已经可以正常工作了,但是当我尝试使用openssl的自签名证书将vault放入https时,它就不起作用了 以下是我的配置: docker compose.yml: version: '3.6' services: vault: build: context: ./vault dockerfile: Dockerf
version: '3.6'
services:
vault:
build:
context: ./vault
dockerfile: Dockerfile
ports:
- 8200:8200
volumes:
- ./vault/config:/vault/config
- ./vault/policies:/vault/policies
- ./vault/data:/vault/data
- ./vault/logs:/vault/logs
- ./vault/volume_test/:/vault/volume_test
environment:
- VAULT_ADDR=http://192.168.56.9:8200
command: server -config=/vault/config/vault-config.conf
cap_add:
- IPC_LOCK
# base image
FROM alpine:3.7
# set vault version
ENV VAULT_VERSION 0.10.3
# create a new directory
RUN mkdir /vault
# download dependencies
RUN apk --no-cache add \
bash \
ca-certificates \
wget
# download and set up vault
RUN wget --quiet --output-document=/tmp/vault.zip https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip && \
unzip /tmp/vault.zip -d /vault && \
rm -f /tmp/vault.zip && \
chmod +x /vault
# update PATH
ENV PATH="PATH=$PATH:$PWD/vault"
# add the config file
COPY ./config/vault-config.conf /vault/config/vault-config.conf
# expose port 8200
EXPOSE 8200
# run vault
ENTRYPOINT ["vault"]
backend "file" {
path = "vault/data"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = false
tls_cert_file = "/home/xxx/Vault-Docker/domain.crt"
tls_key_file = "/home/xxx/Vault-Docker/domain.key"
}
#api_addr = "http://192.168.56.9:8200"
disable_mlock = true
ui = true
[req]
default_bits = 4096
default_md = sha256
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = FR
ST = VA
L = SomeCity
O = MyCompany
OU = MyDivision
CN = 192.168.56.9
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
IP.1 = 192.168.56.9
Dockerfile:
version: '3.6'
services:
vault:
build:
context: ./vault
dockerfile: Dockerfile
ports:
- 8200:8200
volumes:
- ./vault/config:/vault/config
- ./vault/policies:/vault/policies
- ./vault/data:/vault/data
- ./vault/logs:/vault/logs
- ./vault/volume_test/:/vault/volume_test
environment:
- VAULT_ADDR=http://192.168.56.9:8200
command: server -config=/vault/config/vault-config.conf
cap_add:
- IPC_LOCK
# base image
FROM alpine:3.7
# set vault version
ENV VAULT_VERSION 0.10.3
# create a new directory
RUN mkdir /vault
# download dependencies
RUN apk --no-cache add \
bash \
ca-certificates \
wget
# download and set up vault
RUN wget --quiet --output-document=/tmp/vault.zip https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip && \
unzip /tmp/vault.zip -d /vault && \
rm -f /tmp/vault.zip && \
chmod +x /vault
# update PATH
ENV PATH="PATH=$PATH:$PWD/vault"
# add the config file
COPY ./config/vault-config.conf /vault/config/vault-config.conf
# expose port 8200
EXPOSE 8200
# run vault
ENTRYPOINT ["vault"]
backend "file" {
path = "vault/data"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = false
tls_cert_file = "/home/xxx/Vault-Docker/domain.crt"
tls_key_file = "/home/xxx/Vault-Docker/domain.key"
}
#api_addr = "http://192.168.56.9:8200"
disable_mlock = true
ui = true
[req]
default_bits = 4096
default_md = sha256
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = FR
ST = VA
L = SomeCity
O = MyCompany
OU = MyDivision
CN = 192.168.56.9
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
IP.1 = 192.168.56.9
Myvault config.conf:
version: '3.6'
services:
vault:
build:
context: ./vault
dockerfile: Dockerfile
ports:
- 8200:8200
volumes:
- ./vault/config:/vault/config
- ./vault/policies:/vault/policies
- ./vault/data:/vault/data
- ./vault/logs:/vault/logs
- ./vault/volume_test/:/vault/volume_test
environment:
- VAULT_ADDR=http://192.168.56.9:8200
command: server -config=/vault/config/vault-config.conf
cap_add:
- IPC_LOCK
# base image
FROM alpine:3.7
# set vault version
ENV VAULT_VERSION 0.10.3
# create a new directory
RUN mkdir /vault
# download dependencies
RUN apk --no-cache add \
bash \
ca-certificates \
wget
# download and set up vault
RUN wget --quiet --output-document=/tmp/vault.zip https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip && \
unzip /tmp/vault.zip -d /vault && \
rm -f /tmp/vault.zip && \
chmod +x /vault
# update PATH
ENV PATH="PATH=$PATH:$PWD/vault"
# add the config file
COPY ./config/vault-config.conf /vault/config/vault-config.conf
# expose port 8200
EXPOSE 8200
# run vault
ENTRYPOINT ["vault"]
backend "file" {
path = "vault/data"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = false
tls_cert_file = "/home/xxx/Vault-Docker/domain.crt"
tls_key_file = "/home/xxx/Vault-Docker/domain.key"
}
#api_addr = "http://192.168.56.9:8200"
disable_mlock = true
ui = true
[req]
default_bits = 4096
default_md = sha256
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = FR
ST = VA
L = SomeCity
O = MyCompany
OU = MyDivision
CN = 192.168.56.9
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
IP.1 = 192.168.56.9
如何创建我的.crt和.key:
version: '3.6'
services:
vault:
build:
context: ./vault
dockerfile: Dockerfile
ports:
- 8200:8200
volumes:
- ./vault/config:/vault/config
- ./vault/policies:/vault/policies
- ./vault/data:/vault/data
- ./vault/logs:/vault/logs
- ./vault/volume_test/:/vault/volume_test
environment:
- VAULT_ADDR=http://192.168.56.9:8200
command: server -config=/vault/config/vault-config.conf
cap_add:
- IPC_LOCK
# base image
FROM alpine:3.7
# set vault version
ENV VAULT_VERSION 0.10.3
# create a new directory
RUN mkdir /vault
# download dependencies
RUN apk --no-cache add \
bash \
ca-certificates \
wget
# download and set up vault
RUN wget --quiet --output-document=/tmp/vault.zip https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip && \
unzip /tmp/vault.zip -d /vault && \
rm -f /tmp/vault.zip && \
chmod +x /vault
# update PATH
ENV PATH="PATH=$PATH:$PWD/vault"
# add the config file
COPY ./config/vault-config.conf /vault/config/vault-config.conf
# expose port 8200
EXPOSE 8200
# run vault
ENTRYPOINT ["vault"]
backend "file" {
path = "vault/data"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = false
tls_cert_file = "/home/xxx/Vault-Docker/domain.crt"
tls_key_file = "/home/xxx/Vault-Docker/domain.key"
}
#api_addr = "http://192.168.56.9:8200"
disable_mlock = true
ui = true
[req]
default_bits = 4096
default_md = sha256
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = FR
ST = VA
L = SomeCity
O = MyCompany
OU = MyDivision
CN = 192.168.56.9
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
IP.1 = 192.168.56.9
在/home/xxx/Vault Docker/中创建cert.conf文件:
version: '3.6'
services:
vault:
build:
context: ./vault
dockerfile: Dockerfile
ports:
- 8200:8200
volumes:
- ./vault/config:/vault/config
- ./vault/policies:/vault/policies
- ./vault/data:/vault/data
- ./vault/logs:/vault/logs
- ./vault/volume_test/:/vault/volume_test
environment:
- VAULT_ADDR=http://192.168.56.9:8200
command: server -config=/vault/config/vault-config.conf
cap_add:
- IPC_LOCK
# base image
FROM alpine:3.7
# set vault version
ENV VAULT_VERSION 0.10.3
# create a new directory
RUN mkdir /vault
# download dependencies
RUN apk --no-cache add \
bash \
ca-certificates \
wget
# download and set up vault
RUN wget --quiet --output-document=/tmp/vault.zip https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip && \
unzip /tmp/vault.zip -d /vault && \
rm -f /tmp/vault.zip && \
chmod +x /vault
# update PATH
ENV PATH="PATH=$PATH:$PWD/vault"
# add the config file
COPY ./config/vault-config.conf /vault/config/vault-config.conf
# expose port 8200
EXPOSE 8200
# run vault
ENTRYPOINT ["vault"]
backend "file" {
path = "vault/data"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = false
tls_cert_file = "/home/xxx/Vault-Docker/domain.crt"
tls_key_file = "/home/xxx/Vault-Docker/domain.key"
}
#api_addr = "http://192.168.56.9:8200"
disable_mlock = true
ui = true
[req]
default_bits = 4096
default_md = sha256
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = FR
ST = VA
L = SomeCity
O = MyCompany
OU = MyDivision
CN = 192.168.56.9
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
IP.1 = 192.168.56.9
并在/home/xxx/Vault Docker/中执行:
openssl req -nodes -x509 -days 365 -keyout domain.key -out domain.crt -config cert.conf
但当我跑步时:
docker-compose up -d --build
然后:
docker logs vault-docker_vault_1
输出为:
Error initializing listener of type tcp: error loading TLS cert: open /home/xxx/Vault-Docker/domain.crt: no such file or directory
有人告诉我哪里是我的错误
非常感谢 这是因为您的证书配置没有安装在容器中。要修复它,您需要:
/vault/cert
domain.crt
和domain.key
移动到/vault/cert
tls\u cert.*
指令上,将vault config.conf
从/home/../domain*
更改为/vault/cert/domain*
然后Vault将能够找到证书