当前位置：首页 > news >正文

企业网站优化官网微信公众号制作培训

news 2026/5/8 17:43:28

企业网站优化官网,微信公众号制作培训,近一周的新闻大事热点,上海城乡建设网站瀚高数据库目录环境文档用途详细信息环境系统平台#xff1a;Linux x86-64 Red Hat Enterprise Linux 7 版本#xff1a;14 文档用途本文主要介绍Patroni架构中如何开启etcd的ssl证书认证。详细信息一、前提说明 patroni版本#xff1a;3.0.2 etcd版本#x…瀚高数据库目录环境文档用途详细信息环境系统平台Linux x86-64 Red Hat Enterprise Linux 7 版本14 文档用途本文主要介绍Patroni架构中如何开启etcd的ssl证书认证。详细信息一、前提说明 patroni版本3.0.2 etcd版本3.5.7 数据库版本14.4 OS版本redhat7.7 二、自签名CA证书及私钥 1、私钥生成 [rootpatroni8 ssl]# openssl genrsa -out ca-key.pem 2048 Generating RSA private key, 2048 bit long modulus ..................................... ............................. e is 65537 (0x10001)2、自签名证书生成填写以下内容其余的回车跳过 Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:SD Locality Name (eg, city) [Default City]:JN Common Name (eg, your name or your server’s hostname) []:etcd [rootpatroni8 ssl]# openssl req -new -x509 -key ca-key.pem -out ca.pem -days 365 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ., the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:SD Locality Name (eg, city) [Default City]:JN Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your servers hostname) []:etcd Email Address []: [rootpatroni8 ssl]# ls ca-key.pem ca.pem3、etcd私钥生成 [rootpatroni8 ssl]# openssl genrsa -out server-key.pem 2048 Generating RSA private key, 2048 bit long modulus ..... ............... e is 65537 (0x10001)4、编辑配置文件生成etcd证书 [rootpatroni8 ssl]# vi openssl.cnf [req] distinguished_name req_distinguished_name req_extensions v3_req prompt no [req_distinguished_name] C CN ST SD L JN CN etcd [v3_req] subjectAltName alt_names [alt_names] IP.1 192.168.11.16 IP.2 192.168.11.17 IP.3 192.168.11.185、生成etcd证书 [rootpatroni8 ssl]# openssl req -new -key server-key.pem -out server.csr -subj /CNetcd-server -config openssl.cnf [rootpatroni8 ssl]# ls ca-key.pem ca.pem openssl.cnf server.csr server-key.pem [rootpatroni8 ssl]# openssl x509 -req -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server.pem -days 365 -extensi ons v3_req -extfile openssl.cnf Signature ok subject/CCN/STSD/LJN/CNetcd Getting CA Private Key [rootpatroni8 ssl]# ls ca-key.pem ca.pem ca.srl openssl.cnf server.csr server-key.pem server.pem [rootpatroni8 ssl]# ls -lrth total 28K -rw-r--r--. 1 root root 1.7K May 15 11:20 ca-key.pem -rw-r--r--. 1 root root 1.3K May 15 11:28 ca.pem -rw-r--r--. 1 root root 1.7K May 15 11:29 server-key.pem -rw-r--r--. 1 root root 255 May 15 11:33 openssl.cnf -rw-r--r--. 1 root root 1001 May 15 11:33 server.csr -rw-r--r--. 1 root root 17 May 15 11:34 ca.srl -rw-r--r--. 1 root root 1.2K May 15 11:34 server.pem6、将私钥证书复制到其他节点 [rootpatroni8 ssl]# scp ca-key.pem ca.pem server.pem server-key.pem root192.168.11.17:/opt/etcd/ssl [rootpatroni8 ssl]# scp ca-key.pem ca.pem server.pem server-key.pem root192.168.11.16:/opt/etcd/ssl7、修改各节点etcd配置文件将http换为https 编辑/opt/etcd/etcd.yaml文件 debug: false name: etcd03 data-dir: /opt/etcd/data initial-advertise-peer-urls: https://192.168.11.18:2380 listen-peer-urls: https://192.168.11.18:2380 advertise-client-urls: https://192.168.11.18:2379 listen-client-urls: https://192.168.11.18:2379,https://127.0.0.1:2379 initial-cluster-token: etcd-cluster initial-cluster: etcd01https://192.168.11.16:2380,etcd02https://192.168.11.17:2380,etcd03https://192.168.11.18:2380 initial-cluster-state: newclient-transport-security:cert-file: /opt/etcd/ssl/server.pemkey-file: /opt/etcd/ssl/server-key.pemclient-cert-auth: truetrusted-ca-file: /opt/etcd/ssl/ca.pemauto_tls: truepeer-transport-security:cert-file: /opt/etcd/ssl/server.pemkey-file: /opt/etcd/ssl/server-key.pemclient-cert-auth: truetrusted-ca-file: /opt/etcd/ssl/ca.pemauto_tls: trueenable-v2: true8、各节点开启etcd并验证tls通信注意无法使用环境变量如果环境变量冲突注释掉对应的环境变量。 [rootpatroni8 ssl]# systemctl start etcd 验证etcd开启tls [rootpatroni6 etcd]# etcdctl --endpointshttps://192.168.11.16:2379,https://192.168.11.17:2379,https://192.168.11.18:2379 --cacert/opt/etcd/ssl/ca.pem --cert/opt/etcd/ssl/server.pem --key/opt/etcd/ssl/server-key.pem endpoint health https://192.168.11.18:2379 is healthy: successfully committed proposal: took 12.05254ms https://192.168.11.16:2379 is healthy: successfully committed proposal: took 12.007163ms https://192.168.11.17:2379 is healthy: successfully committed proposal: took 12.344144ms[rootpatroni6 patroni]# ETCDCTL_API2 etcdctl --endpointshttps://192.168.11.16:2379,https://192.168.11.17:2379,https://192.168.11.1 8:2379 --ca-file/opt/etcd/ssl/ca.pem --cert-file/opt/etcd/ssl/server.pem --key-file/opt/etcd/ssl/server-key.pem cluster-health member 421aadb231b71fa1 is healthy: got healthy result from https://192.168.11.17:2379 member 61a0b36ccbf8f9bf is healthy: got healthy result from https://192.168.11.18:2379 member 910f6ce438f0d4dd is healthy: got healthy result from https://192.168.11.16:2379 cluster is healthy三、patroni配置ssl 1、配置patroni文件中的etcd部分 etcd:#配置etcd所有节点的访问IP及端口hosts: 192.168.11.16:2379,192.168.11.17:2379,192.168.11.18:2379protocol: httpscert: /opt/etcd/ssl/server.pemkey: /opt/etcd/ssl/server-key.pemcacert: /opt/etcd/ssl/ca.pem # username: root # password: 1234562、启动patroni systemctl start patroni四、注意事项 1、如果报错是CA是自签名的不可信需要将证书添加到可信存储中每个节点都执行 cp ca.pem /etc/pki/ca-trust/source/anchors/update-ca-trust

查看全文

http://www.hkea.cn/news/14584498/