SFB 项目经验
241-HaproxyKA01242-HaproxyKA02
同样配置。
// 0. 删除文件
http://i2.运维网.com/images/blog/201803/02/fd7ab12902aea3ace30b4f2c2b193a7c.jpg
//删除旧证书:
ll certificates/
rm -f certificates/*.* //删除所有
ll certificates/
http://i2.运维网.com/images/blog/201803/02/c88ec98a3ca2680f96066a6e8bd2379c.jpg
//删除证书
ll /etc/ssl/certs/
rm -f /etc/ssl/certs/exchange_certificate_and_key_nopassword.pem //删除此文件
ll /etc/ssl/certs/
http://i2.运维网.com/images/blog/201803/02/5cf26f8fb20664175629ba0e0fac95c8.jpg
// 1.下载 CA 证书(根证书)
http://i2.运维网.com/images/blog/201803/02/faece84ed05a7027374bc064f59eebc7.jpg
http://i2.运维网.com/images/blog/201803/02/7173bb228a6a8ec8cbfcfcbff4db278c.png
http://i2.运维网.com/images/blog/201803/02/3cba1f29a3f59c6bcecfbfaa411aced2.png
http://i2.运维网.com/images/blog/201803/02/2acd2f5e8892fee23639d2512bb0c6a6.jpg
http://i2.运维网.com/images/blog/201803/02/fdcdf426b8896e4939e16c84d9ae87e5.jpg
http://i2.运维网.com/images/blog/201803/02/a1dffd9f837f67ae8d4d825a681585ca.png
http://i2.运维网.com/images/blog/201803/02/f80141a5e05f65a6f8f63ec071dcc5cb.png
http://i2.运维网.com/images/blog/201803/02/bd5219818afc8dfcead64206cd97a85d.png
http://i2.运维网.com/images/blog/201803/02/154a9cd4da454a91c64cbb10b77b602f.png
http://i2.运维网.com/images/blog/201803/02/c9ab6618f00f1ec9510063450896ff1a.png
http://i2.运维网.com/images/blog/201803/02/6f494a465d021dde2ea8f3911b5e6d00.jpg
root_i-x-Cloud.cer
上传到 /root/
ls *.cer -l
mv *.cer certificates/
cd certificates
ll
http://i2.运维网.com/images/blog/201803/02/08e01205008f8506287b09db2a4cfd07.jpg
# ll
total 1660
-rw-------. 1 root root 1030 Dec 13 2015 anaconda-ks.cfg
drwxr-xr-x 2 root root 6 Feb 24 17:18 certificates
drwxrwxr-x 9 root root 4096 Oct 6 2016 haproxy-1.5.4
-rw-r--r-- 1 root root 1336140 May 12 2016 haproxy-1.5.4.tar.gz
drwxr-xr-x 7 1000 1000 4096 Oct 7 2016 keepalived-1.2.13
-rw-r--r-- 1 root root 341956 May 13 2014 keepalived-1.2.13.tar.gz
-rw-r--r-- 1 root root 1174 Feb 24 16:02 root_i_x_Cloud.cer
# mv *.cer certificates/
# cd certificates/
# ll
total 4
-rw-r--r-- 1 root root 1174 Feb 24 16:02 root_i_x_Cloud.cer
http://i2.运维网.com/images/blog/201803/02/71b8c2dfb11b5e5517f20c6b1ff21bf1.jpg
// 2. 将cer转为pem (根证书)
openssl x509 -in root_i-x-Cloud.cer -inform der -outform pem -out root_i-x-Cloud.pem
ll
# openssl x509 -in root_i-x-Cloud.cer -inform der -outform pem -out root_i-x-Cloud.pem
# ll
total 8
-rw-r--r-- 1 root root 1174 Feb 24 16:02 root_i-x-Cloud.cer
-rw-r--r-- 1 root root 1647 Feb 24 17:21 root_i-x-Cloud.pem
#
http://i2.运维网.com/images/blog/201803/02/eaeca672ee8a7cbf458019e7a2bdb217.jpg
// 3. 重新生成hash
# c_rehash .
Doing .
root_i-x-Cloud.pem => 2e5ac55d.0
# ll
total 8
lrwxrwxrwx 1 root root 18 Mar 1 20:23 2e5ac55d.0 -> root_i-x-Cloud.pem
-rw-r--r-- 1 root root 846 Mar 1 12:48 root_i-x-Cloud.cer
-rw-r--r-- 1 root root 1200 Mar 1 20:19 root_i-x-Cloud.pem
# ll /etc/pki/tls/certs/
total 12
lrwxrwxrwx 1 root root 49 May 10 2016 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx 1 root root 55 May 10 2016 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
-rwxr-xr-x 1 root root 610 May 9 2016 make-dummy-cert
-rw-r--r-- 1 root root 2388 May 9 2016 Makefile
-rwxr-xr-x 1 root root 829 May 9 2016 renew-dummy-cert
#
http://i2.运维网.com/images/blog/201803/02/b76c7fa1a39a3cf88c075ccec7824d92.jpg
// 4. 导出证书(设置密码:Aa123456)//密码不能为1.
i-x-Cloud.com.pfx
上传证书:/root/certificates/
http://i2.运维网.com/images/blog/201803/02/c3fad0d9ef9aaf8d0682511bf0d4f8f4.jpg
http://i2.运维网.com/images/blog/201803/02/33124cb66500d56f3c3ba2506ebd8ae0.jpg
# ll
total 12
lrwxrwxrwx 1 root root 18 Mar 1 20:23 2e5ac55d.0 -> root_i-x-Cloud.pem
-rw-r--r-- 1 root root 3869 Feb 28 22:33 i-x-Cloud.com.pfx
-rw-r--r-- 1 root root 846 Mar 1 12:48 root_i-x-Cloud.cer
-rw-r--r-- 1 root root 1200 Mar 1 20:19 root_i-x-Cloud.pem
#
http://i2.运维网.com/images/blog/201803/02/8f85a462106f43bbde74eda8a8b2f123.png
// 5. 将pfx转为pem
openssl pkcs12 -in i-x-Cloud.com.pfx -nocerts -out exchange_private_key_passwordprotected.pem
Aa123456
# ll
total 12
lrwxrwxrwx 1 root root 18 Mar 1 20:23 2e5ac55d.0 -> root_i-x-Cloud.pem
-rw-r--r-- 1 root root 3869 Feb 28 22:33 i-x-Cloud.com.pfx
-rw-r--r-- 1 root root 846 Mar 1 12:48 root_i-x-Cloud.cer
-rw-r--r-- 1 root root 1200 Mar 1 20:19 root_i-x-Cloud.pem
# openssl pkcs12 -in i-x-Cloud.com.pfx -nocerts -out exchange_private_key_passwordprotected.pem
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
# ll
total 16
lrwxrwxrwx 1 root root 18 Mar 1 20:23 2e5ac55d.0 -> root_i-x-Cloud.pem
-rw-r--r-- 1 root root 2088 Mar 1 20:34 exchange_private_key_passwordprotected.pem
-rw-r--r-- 1 root root 3913 Mar 1 20:33 i-x-Cloud.com.pfx
-rw-r--r-- 1 root root 846 Mar 1 12:48 root_i-x-Cloud.cer
-rw-r--r-- 1 root root 1200 Mar 1 20:19 root_i-x-Cloud.pem
#
http://i2.运维网.com/images/blog/201803/02/1d3ef3273eb6801514893fb6344886d9.jpg
// 6. 移出密码保护
openssl rsa -in exchange_private_key_passwordprotected.pem -out exchange_private_key_nopassword.pem
# openssl rsa -in exchange_private_key_passwordprotected.pem -out exchange_private_key_nopassword.pem
Enter pass phrase for exchange_private_key_passwordprotected.pem:
writing RSA key
# ll
total 20
lrwxrwxrwx 1 root root 18 Mar 1 20:23 2e5ac55d.0 -> root_i-x-Cloud.pem
-rw-r--r-- 1 root root 1679 Mar 1 20:36 exchange_private_key_nopassword.pem
-rw-r--r-- 1 root root 2088 Mar 1 20:34 exchange_private_key_passwordprotected.pem
-rw-r--r-- 1 root root 3913 Mar 1 20:33 i-x-Cloud.com.pfx
-rw-r--r-- 1 root root 846 Mar 1 12:48 root_i-x-Cloud.cer
-rw-r--r-- 1 root root 1200 Mar 1 20:19 root_i-x-Cloud.pem
#
// 7. 解压这个pfx文件,我们需要提供凭证。
openssl pkcs12 -in i-x-Cloud.com.pfx -clcerts -nokeys -out exchange_certificate.pem
ll
# openssl pkcs12 -in i-x-Cloud.com.pfx -clcerts -nokeys -out exchange_certificate.pem
Enter Import Password:
MAC verified OK
# ll
total 24
lrwxrwxrwx 1 root root 18 Mar 1 20:23 2e5ac55d.0 -> root_i-x-Cloud.pem
-rw-r--r-- 1 root root 3040 Mar 1 20:38 exchange_certificate.pem
-rw-r--r-- 1 root root 1679 Mar 1 20:36 exchange_private_key_nopassword.pem
-rw-r--r-- 1 root root 2088 Mar 1 20:34 exchange_private_key_passwordprotected.pem
-rw-r--r-- 1 root root 3913 Mar 1 20:33 i-x-Cloud.com.pfx
-rw-r--r-- 1 root root 846 Mar 1 12:48 root_i-x-Cloud.cer
-rw-r--r-- 1 root root 1200 Mar 1 20:19 root_i-x-Cloud.pem
#
http://i2.运维网.com/images/blog/201803/02/2728123775fb7bd4a81f13d57d1686f2.jpg
// 8. 通过将exchange_certificate.pem和exchange_private_key_nopassword.pem产生exchange_certificate_and_key_nopassword.pem。
cat exchange_certificate.pem exchange_private_key_nopassword.pem > exchange_certificate_and_key_nopassword.pem
ll
# cat exchange_certificate.pem exchange_private_key_nopassword.pem > exchange_certificate_and_key_nopassword.pem
# ll
total 32
lrwxrwxrwx 1 root root 18 Mar 1 20:23 2e5ac55d.0 -> root_i-x-Cloud.pem
-rw-r--r-- 1 root root 4719 Mar 1 20:40 exchange_certificate_and_key_nopassword.pem
-rw-r--r-- 1 root root 3040 Mar 1 20:38 exchange_certificate.pem
-rw-r--r-- 1 root root 1679 Mar 1 20:36 exchange_private_key_nopassword.pem
-rw-r--r-- 1 root root 2088 Mar 1 20:34 exchange_private_key_passwordprotected.pem
-rw-r--r-- 1 root root 3913 Mar 1 20:33 i-x-Cloud.com.pfx
-rw-r--r-- 1 root root 846 Mar 1 12:48 root_i-x-Cloud.cer
-rw-r--r-- 1 root root 1200 Mar 1 20:19 root_i-x-Cloud.pem
#
http://i2.运维网.com/images/blog/201803/02/8eef5573c721eae9432d3fb02065c2b0.jpg
// 9. 复制到文件夹中
ll /etc/ssl/certs/
rm -f /etc/ssl/certs/exchange_certificate_and_key_nopassword.pem
mv exchange_certificate_and_key_nopassword.pem /etc/ssl/certs/
ll /etc/ssl/certs/
ll
# ll /etc/ssl/certs/
total 12
lrwxrwxrwx 1 root root 49 May 10 2016 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx 1 root root 55 May 10 2016 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
-rwxr-xr-x 1 root root 610 May 9 2016 make-dummy-cert
-rw-r--r-- 1 root root 2388 May 9 2016 Makefile
-rwxr-xr-x 1 root root 829 May 9 2016 renew-dummy-cert
# mv exchange_certificate_and_key_nopassword.pem /etc/ssl/certs/
# ll /etc/ssl/certs/
total 20
lrwxrwxrwx 1 root root 49 May 10 2016 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx 1 root root 55 May 10 2016 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
-rw-r--r-- 1 root root 4719 Mar 1 20:40 exchange_certificate_and_key_nopassword.pem
-rwxr-xr-x 1 root root 610 May 9 2016 make-dummy-cert
-rw-r--r-- 1 root root 2388 May 9 2016 Makefile
-rwxr-xr-x 1 root root 829 May 9 2016 renew-dummy-cert
# ll
total 24
lrwxrwxrwx 1 root root 18 Mar 1 20:23 2e5ac55d.0 -> root_i-x-Cloud.pem
-rw-r--r-- 1 root root 3040 Mar 1 20:38 exchange_certificate.pem
-rw-r--r-- 1 root root 1679 Mar 1 20:36 exchange_private_key_nopassword.pem
-rw-r--r-- 1 root root 2088 Mar 1 20:34 exchange_private_key_passwordprotected.pem
-rw-r--r-- 1 root root 3913 Mar 1 20:33 i-x-Cloud.com.pfx
-rw-r--r-- 1 root root 846 Mar 1 12:48 root_i-x-Cloud.cer
-rw-r--r-- 1 root root 1200 Mar 1 20:19 root_i-x-Cloud.pem
#
http://i2.运维网.com/images/blog/201803/02/4140aee32d151c5f3bed6453e512e658.jpg
// 10. 测试
http://i2.运维网.com/images/blog/201803/02/b3de248888706927da18b949bffcdcb3.png
# ip a | grep "inet 10"
inet 10.1.1.241/24 brd 10.1.1.255 scope global eth0
inet 10.1.1.135/32 scope global eth0
inet 10.1.1.150/32 scope global eth0
inet 10.1.1.120/32 scope global eth0
#
http://i2.运维网.com/images/blog/201803/02/0edf3b178610e247c5705141e246b8ba.png
# ip a | grep "inet 10"
inet 10.1.1.242/24 brd 10.1.1.255 scope global eth0
#
http://i2.运维网.com/images/blog/201803/02/8c5a62a72ce09b5f43ee611bd0656116.png
# ip a | grep "inet 10"
inet 10.1.1.241/24 brd 10.1.1.255 scope global eth0
#
http://i2.运维网.com/images/blog/201803/02/3addf2216f05bd7011434847165627e7.png
# ip a | grep "inet 10"
inet 10.1.1.242/24 brd 10.1.1.255 scope global eth0
# ip a | grep "inet 10"
inet 10.1.1.242/24 brd 10.1.1.255 scope global eth0
inet 10.1.1.135/32 scope global eth0
inet 10.1.1.150/32 scope global eth0
inet 10.1.1.120/32 scope global eth0
#
页:
[1]