I tried creating a certificate with the same extensions as your script:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1682915408 (0x644f4050)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=kube-ca
Validity
Not Before: Aug 16 08:08:14 2016 GMT
Not After : Nov 14 08:08:14 2016 GMT
Subject: CN=kube-ca
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:aa:d9:55:a0:03:43:81:ff:7f:10:b0:c2:90:ff:
44:1d:75:63:14:6b:8d:c5:20:77:ee:84:1d:84:70:
78:6c:60:42:ff:1b:8a:3c:8a:bc:4f:25:e3:c9:27:
c3:eb:96:f2:49:fc:ae:e0:53:a6:27:da:27:3b:12:
66:f2:cb:96:66:f1:a2:2c:18:4e:ee:df:57:32:e7:
97:9f:b1:b6:aa:c1:93:20:5b:61:6d:24:0e:18:f6:
d9:85:26:74:19:f5:2e:12:6e:f9:78:bf:05:06:4a:
51:9f:ed:e2:f5:86:7f:66:76:63:06:9e:80:7a:3d:
4d:ac:34:dc:de:9c:18:4b:61:6e:fc:77:4b:2d:c2:
bd:04:55:36:93:2b:88:ca:82:d5:3f:82:f2:fb:84:
e4:13:2f:30:bd:a9:57:43:08:f9:1a:c5:60:17:59:
84:dc:41:4a:e1:b3:87:9e:81:27:7d:28:41:a0:ef:
9c:91:01:8a:17:a3:74:f7:11:25:39:97:e9:f4:c8:
31:c6:35:87:7b:51:39:6d:aa:2b:68:97:02:54:e8:
e1:d4:87:43:87:c6:2e:6d:d9:15:ed:6b:00:8a:78:
84:83:e1:b9:6a:8e:a2:8d:fa:42:ad:8c:34:2a:c5:
37:b9:4c:de:6c:23:4c:7b:8a:3b:3b:8f:97:d0:ef:
34:ef
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
DNS:kcdev.tremolosecurity.com
X509v3 Subject Key Identifier:
1F:57:10:F5:2A:AC:C1:06:D8:29:D8:F4:E6:88:98:46:90:58:75:7E
Signature Algorithm: sha256WithRSAEncryption
67:d1:72:ea:5b:dd:a4:4e:4b:34:30:12:d1:d5:65:81:f5:4e:
6f:f1:64:9d:e4:70:dd:cc:e4:e6:f0:9b:7d:e3:19:ae:fd:2b:
8c:8b:d1:98:8d:78:59:c2:06:5c:42:19:f8:ce:9f:d2:5e:56:
03:03:41:e0:93:38:54:5b:d3:2e:6a:19:a7:d4:14:70:c5:e5:
c7:f9:8d:1a:c5:19:d1:a1:11:49:ea:0e:da:6e:f8:9f:d4:24:
61:e8:89:c0:d1:2e:5e:fe:5f:87:e4:0d:07:77:e5:8a:69:dd:
da:5b:48:c7:12:67:a1:85:a0:5c:b1:fa:b9:c0:f5:e3:93:0d:
85:34:20:0b:57:1f:82:b1:3a:82:19:eb:8a:fa:5a:60:1f:ed:
b4:ad:23:ee:54:4b:6a:67:49:b7:29:f4:5b:05:72:a2:e4:fa:
a5:82:cd:42:ef:a1:3d:5c:75:28:bb:fa:0c:e4:60:19:96:24:
c7:50:f6:13:67:de:bf:94:a3:89:b8:06:61:77:74:08:10:81:
8a:f3:f2:41:ed:cf:5c:d0:78:12:fc:fe:5b:e5:eb:f4:e8:bf:
6a:75:50:f4:21:80:ef:1f:54:11:70:6d:8a:84:85:12:a1:22:
a8:a0:25:90:df:16:1c:e7:e9:b6:87:63:d9:d4:be:3a:00:d9:
6d:43:9e:ac
-----BEGIN CERTIFICATE-----
MIIDATCCAemgAwIBAgIEZE9AUDANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDEwdr
dWJlLWNhMB4XDTE2MDgxNjA4MDgxNFoXDTE2MTExNDA4MDgxNFowEjEQMA4GA1UE
AxMHa3ViZS1jYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKrZVaAD
Q4H/fxCwwpD/RB11YxRrjcUgd+6EHYRweGxgQv8bijyKvE8l48knw+uW8kn8ruBT
pifaJzsSZvLLlmbxoiwYTu7fVzLnl5+xtqrBkyBbYW0kDhj22YUmdBn1LhJu+Xi/
BQZKUZ/t4vWGf2Z2YwaegHo9Taw03N6cGEthbvx3Sy3CvQRVNpMriMqC1T+C8vuE
5BMvML2pV0MI+RrFYBdZhNxBSuGzh56BJ30oQaDvnJEBihejdPcRJTmX6fTIMcY1
h3tROW2qK2iXAlTo4dSHQ4fGLm3ZFe1rAIp4hIPhuWqOoo36Qq2MNCrFN7lM3mwj
THuKOzuPl9DvNO8CAwEAAaNfMF0wCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwJAYD
VR0RBB0wG4IZa2NkZXYudHJlbW9sb3NlY3VyaXR5LmNvbTAdBgNVHQ4EFgQUH1cQ
9SqswQbYKdj05oiYRpBYdX4wDQYJKoZIhvcNAQELBQADggEBAGfRcupb3aROSzQw
EtHVZYH1Tm/xZJ3kcN3M5Obwm33jGa79K4yL0ZiNeFnCBlxCGfjOn9JeVgMDQeCT
OFRb0y5qGafUFHDF5cf5jRrFGdGhEUnqDtpu+J/UJGHoicDRLl7+X4fkDQd35Ypp
3dpbSMcSZ6GFoFyx+rnA9eOTDYU0IAtXH4KxOoIZ64r6WmAf7bStI+5US2pnSbcp
9FsFcqLk+qWCzULvoT1cdSi7+gzkYBmWJMdQ9hNn3r+Uo4m4BmF3dAgQgYrz8kHt
z1zQeBL8/lvl6/Tov2p1UPQhgO8fVBFwbYqEhRKhIqigJZDfFhzn6baHY9nUvjoA
2W1Dnqw=
-----END CERTIFICATE-----
Notice that the x509 extension attributes match what your script requests and creates. I get the same errors from kubernetes:
I0816 08:10:50.314118 1 genericapiserver.go:606] Will report 192.168.2.105 as public IP address.
E0816 08:10:50.376453 1 oidc.go:118] Failed to fetch provider config, trying again in 3s: Get https://kcdev.tremolosecurity.com:8443/auth/realms/kubernetes/.well-known/openid-configuration: x509: certificate signed by unknown authority (possibly because of "x509: invalid signature: parent certificate cannot sign this kind of certificate" while trying to verify candidate authority certificate "kube-ca")
E0816 08:10:53.392945 1 oidc.go:118] Failed to fetch provider config, trying again in 3s: Get https://kcdev.tremolosecurity.com:8443/auth/realms/kubernetes/.well-known/openid-configuration: x509: certificate signed by unknown authority (possibly because of "x509: invalid signature: parent certificate cannot sign this kind of certificate" while trying to verify candidate authority certificate "kube-ca")
E0816 08:10:56.409290 1 oidc.go:118] Failed to fetch provider config, trying again in 3s: Get https://kcdev.tremolosecurity.com:8443/auth/realms/kubernetes/.well-known/openid-configuration: x509: certificate signed by unknown authority (possibly because of "x509: invalid signature: parent certificate cannot sign this kind of certificate" while trying to verify candidate authority certificate "kube-ca")
E0816 08:10:59.425534 1 oidc.go:118] Failed to fetch provider config, trying again in 3s: Get https://kcdev.tremolosecurity.com:8443/auth/realms/kubernetes/.well-known/openid-configuration: x509: certificate signed by unknown authority (possibly because of "x509: invalid signature: parent certificate cannot sign this kind of certificate" while trying to verify candidate authority certificate "kube-ca")
E0816 08:11:02.441087 1 oidc.go:118] Failed to fetch provider config, trying again in 3s: Get https://kcdev.tremolosecurity.com:8443/auth/realms/kubernetes/.well-known/openid-configuration: x509: certificate signed by unknown authority (possibly because of "x509: invalid signature: parent certificate cannot sign this kind of certificate" while trying to verify candidate authority certificate "kube-ca")
F0816 08:11:05.441355 1 server.go:206] Invalid Authentication Config: failed to fetch provider config after 5 retries
After looking more closely at the script you provided above, this script is NOT creating a self signed certificate. Its:
First generate a self signed CA certificate:
openssl genrsa -out ssl/ca-key.pem 2048
openssl req -x509 -new -nodes -key ssl/ca-key.pem -days 10 -out ssl/ca.pem -subj "/CN=kube-ca"
If you then inspect the CA certificate:
Marcs-MBP-2:ssl mlb$ openssl x509 -in ca.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
8f:82:9a:25:95:4e:01:7e
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=kube-ca
Validity
Not Before: Aug 16 08:23:03 2016 GMT
Not After : Aug 26 08:23:03 2016 GMT
Subject: CN=kube-ca
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:ed:1d:64:6a:ca:a8:99:71:9b:65:d7:6d:a6:16:
83:dc:5f:f9:43:7a:5b:93:06:aa:5f:92:ac:c8:27:
52:ac:e2:91:c2:5f:f7:d9:36:3f:74:b8:5d:1d:4d:
a0:5b:f8:8d:90:2f:b2:8b:03:11:fb:02:14:c6:ba:
d0:cb:db:c5:09:60:0d:c7:7f:a1:7c:8d:0c:d5:3c:
c0:1e:ba:f1:07:56:ed:15:0e:a2:18:72:29:f4:94:
e4:18:76:64:a8:9a:3b:5b:4d:6e:e4:35:f9:da:32:
f1:13:5b:55:f7:0e:17:ee:6c:99:1d:a1:48:8a:64:
c9:f6:75:25:f0:87:8f:04:8a:de:c8:80:13:91:cb:
03:e9:2c:cb:35:99:2e:4c:cf:bb:cf:fd:d7:02:76:
80:a4:fa:e1:04:ba:e1:50:56:c0:9c:e4:3d:45:89:
a3:c3:9a:d9:5b:2b:62:f3:6f:2a:51:ca:b4:49:29:
b7:af:b6:87:97:27:72:f9:b3:94:12:03:74:42:65:
2a:2c:99:58:3f:e0:ad:e5:82:64:51:86:b1:81:7a:
0e:8b:70:6c:30:f6:6d:a4:63:51:b7:b4:43:87:ea:
40:08:6d:a9:7d:c3:bb:a3:89:cd:f7:58:4c:5e:9e:
39:a2:e9:6f:bd:86:d7:f3:f1:f6:f6:67:6e:77:49:
19:3d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
4B:C9:CF:F1:44:D6:9E:FB:C3:EC:98:0C:56:02:BF:B7:84:6D:8F:4C
X509v3 Authority Key Identifier:
keyid:4B:C9:CF:F1:44:D6:9E:FB:C3:EC:98:0C:56:02:BF:B7:84:6D:8F:4C
DirName:/CN=kube-ca
serial:8F:82:9A:25:95:4E:01:7E
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
6e:fa:c6:f2:fd:78:c9:b3:d1:3b:04:6a:90:b1:a2:4b:76:10:
52:b4:b0:af:c4:de:d7:a7:68:db:49:95:43:b8:02:10:53:f7:
da:3d:66:63:d3:fb:47:43:e1:d3:69:15:79:c2:38:79:b8:48:
c3:5a:35:09:dd:7f:d8:b8:bb:41:ba:03:38:2c:1a:f2:f2:04:
1c:0f:fe:89:b1:b6:53:4e:0c:f9:9f:5d:d7:c7:f5:e2:13:72:
2e:a3:be:08:28:d2:d3:69:83:f2:2c:7f:c9:8b:14:38:54:3c:
a1:09:f5:e9:4a:25:f0:fd:9d:63:1b:a3:f8:4e:80:dd:2d:bf:
0f:ba:98:a5:eb:ee:7d:39:b1:1e:0e:9b:24:79:cc:67:be:68:
bf:48:1a:65:2e:32:ef:3e:bb:cf:6d:87:d6:34:0d:24:f8:74:
e2:61:ef:b4:1f:36:75:e0:b1:49:46:9b:c9:d9:cc:fe:2f:64:
a3:1a:31:9a:c3:e0:ab:82:83:3c:57:69:7f:b9:38:0c:8d:d4:
f9:9f:f2:a9:02:f7:ed:72:5e:5a:f4:91:bf:72:7e:0c:c2:f1:
23:8a:90:a9:fb:68:5b:78:71:64:a3:31:b3:43:f1:79:15:20:
cc:18:2f:74:50:7b:57:68:84:6d:14:aa:a1:20:71:71:28:71:
4a:db:09:fd
-----BEGIN CERTIFICATE-----
MIIDGjCCAgKgAwIBAgIJAI+CmiWVTgF+MA0GCSqGSIb3DQEBBQUAMBIxEDAOBgNV
BAMTB2t1YmUtY2EwHhcNMTYwODE2MDgyMzAzWhcNMTYwODI2MDgyMzAzWjASMRAw
DgYDVQQDEwdrdWJlLWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
7R1kasqomXGbZddtphaD3F/5Q3pbkwaqX5KsyCdSrOKRwl/32TY/dLhdHU2gW/iN
kC+yiwMR+wIUxrrQy9vFCWANx3+hfI0M1TzAHrrxB1btFQ6iGHIp9JTkGHZkqJo7
W01u5DX52jLxE1tV9w4X7myZHaFIimTJ9nUl8IePBIreyIATkcsD6SzLNZkuTM+7
z/3XAnaApPrhBLrhUFbAnOQ9RYmjw5rZWyti828qUcq0SSm3r7aHlydy+bOUEgN0
QmUqLJlYP+Ct5YJkUYaxgXoOi3BsMPZtpGNRt7RDh+pACG2pfcO7o4nN91hMXp45
oulvvYbX8/H29mdud0kZPQIDAQABo3MwcTAdBgNVHQ4EFgQUS8nP8UTWnvvD7JgM
VgK/t4Rtj0wwQgYDVR0jBDswOYAUS8nP8UTWnvvD7JgMVgK/t4Rtj0yhFqQUMBIx
EDAOBgNVBAMTB2t1YmUtY2GCCQCPgpollU4BfjAMBgNVHRMEBTADAQH/MA0GCSqG
SIb3DQEBBQUAA4IBAQBu+sby/XjJs9E7BGqQsaJLdhBStLCvxN7Xp2jbSZVDuAIQ
U/faPWZj0/tHQ+HTaRV5wjh5uEjDWjUJ3X/YuLtBugM4LBry8gQcD/6JsbZTTgz5
n13Xx/XiE3Iuo74IKNLTaYPyLH/JixQ4VDyhCfXpSiXw/Z1jG6P4ToDdLb8Pupil
6+59ObEeDpskecxnvmi/SBplLjLvPrvPbYfWNA0k+HTiYe+0HzZ14LFJRpvJ2cz+
L2SjGjGaw+CrgoM8V2l/uTgMjdT5n/KpAvftcl5a9JG/cn4MwvEjipCp+2hbeHFk
ozGzQ/F5FSDMGC90UHtXaIRtFKqhIHFxKHFK2wn9
-----END CERTIFICATE-----
Notice that the CA X509v3 basic constraint is set to true. Then it creates a new certificate with the same subject but a different SAN:
openssl genrsa -out ssl/key.pem 2048
openssl req -new -key ssl/key.pem -out ssl/csr.pem -subj "/CN=kube-ca" -config ssl/req.cnf
Finally, the new cert is signed by the self signed CA
openssl x509 -req -in ssl/csr.pem -CA ssl/ca.pem -CAkey ssl/ca-key.pem -CAcreateserial -out ssl/cert.pem -days 10 -extensions v3_req -extfile ssl/req.cnf
here's the result:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
df:a8:19:b8:05:67:86:65
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=kube-ca
Validity
Not Before: Aug 16 08:23:03 2016 GMT
Not After : Aug 26 08:23:03 2016 GMT
Subject: CN=kube-ca
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:c0:3e:cf:a6:a7:1e:b9:d8:87:6e:c9:0a:52:e9:
e8:16:3f:02:86:cc:df:15:63:8c:26:3c:1f:f1:dc:
f4:0f:6f:1f:9b:c6:c1:96:d2:bb:9d:9a:d9:df:05:
61:ff:ff:60:68:63:b9:b9:af:4a:4a:55:79:59:d9:
fc:b1:ac:4a:6d:b0:d0:e4:f5:b4:bd:25:8d:16:80:
44:72:5f:d0:2c:f1:c8:f8:08:b3:9d:a1:b8:8f:af:
94:7f:0f:d9:bf:f1:05:87:14:02:b0:74:67:c3:36:
39:2b:d3:c2:c1:00:f7:ed:19:ab:7e:cf:19:4c:7a:
5f:62:4a:68:58:ca:4b:47:3d:e6:fb:bc:cc:e6:a8:
6c:54:b9:e2:95:2e:23:00:8d:2d:46:bb:5f:94:ab:
3b:38:c6:c7:fa:6b:86:97:a2:54:17:08:c2:be:c7:
48:65:4a:fd:1c:cc:c9:9b:3d:5c:af:c7:1f:bd:fe:
a5:d2:f8:ca:1d:11:4a:29:ad:ae:29:04:ba:80:ec:
72:86:5e:b5:b2:43:83:32:32:75:f3:ad:ba:5b:f3:
8e:51:01:86:71:bc:48:f1:e2:20:33:28:c9:34:29:
2f:80:ad:90:cc:2d:24:d9:ac:ab:23:1a:fb:0d:d5:
ab:39:d1:29:bc:5b:4a:8d:e0:b9:ea:6f:39:54:79:
57:d7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
DNS:dex.example.com
Signature Algorithm: sha1WithRSAEncryption
b3:53:c4:70:0c:94:79:c0:60:51:29:1b:7e:0b:64:a4:09:eb:
d4:55:bd:3a:b7:5c:ab:ef:82:1e:f6:56:ea:4c:94:bb:26:f0:
dd:5d:1a:03:8b:b1:43:84:e3:92:60:4b:39:5b:d8:4b:83:c9:
4d:49:11:6d:8c:0e:80:5b:77:b7:b4:3a:92:4d:70:8f:4a:c0:
ac:3a:39:9d:f9:d9:01:52:2a:a3:67:28:13:f0:b0:84:c2:eb:
66:97:3f:32:71:68:d5:db:4d:66:f8:bf:68:57:50:b1:22:37:
8e:c2:4d:89:6b:e0:4b:af:21:aa:1d:1f:da:3c:64:89:b6:a4:
af:7d:c2:8d:5e:f7:f9:ab:dc:2e:06:be:70:d4:7e:f7:4f:30:
5d:aa:95:e8:27:84:7c:a3:6d:4f:3f:77:61:c2:d6:11:9f:43:
ef:43:14:b3:51:f2:70:31:4e:af:9c:9b:37:6f:89:66:eb:2d:
c3:6d:2a:68:9f:19:33:34:f6:d5:fa:c4:19:3c:12:53:c0:95:
44:c3:90:f5:5f:c5:3b:ef:45:91:0b:6f:2d:87:fc:4c:34:bc:
dd:bd:bf:06:99:bc:7c:5f:ff:9d:e5:80:2d:78:13:b3:11:c4:
57:0e:79:71:c8:96:3e:30:5d:e9:dd:c9:55:d3:ce:e3:cb:a0:
6e:79:e2:f8
-----BEGIN CERTIFICATE-----
MIIC3TCCAcWgAwIBAgIJAN+oGbgFZ4ZlMA0GCSqGSIb3DQEBBQUAMBIxEDAOBgNV
BAMTB2t1YmUtY2EwHhcNMTYwODE2MDgyMzAzWhcNMTYwODI2MDgyMzAzWjASMRAw
DgYDVQQDDAdrdWJlLWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
wD7PpqceudiHbskKUunoFj8ChszfFWOMJjwf8dz0D28fm8bBltK7nZrZ3wVh//9g
aGO5ua9KSlV5Wdn8saxKbbDQ5PW0vSWNFoBEcl/QLPHI+AiznaG4j6+Ufw/Zv/EF
hxQCsHRnwzY5K9PCwQD37Rmrfs8ZTHpfYkpoWMpLRz3m+7zM5qhsVLnilS4jAI0t
RrtflKs7OMbH+muGl6JUFwjCvsdIZUr9HMzJmz1cr8cfvf6l0vjKHRFKKa2uKQS6
gOxyhl61skODMjJ18626W/OOUQGGcbxI8eIgMyjJNCkvgK2QzC0k2ayrIxr7DdWr
OdEpvFtKjeC56m85VHlX1wIDAQABozYwNDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF
4DAaBgNVHREEEzARgg9kZXguZXhhbXBsZS5jb20wDQYJKoZIhvcNAQEFBQADggEB
ALNTxHAMlHnAYFEpG34LZKQJ69RVvTq3XKvvgh72VupMlLsm8N1dGgOLsUOE45Jg
Szlb2EuDyU1JEW2MDoBbd7e0OpJNcI9KwKw6OZ352QFSKqNnKBPwsITC62aXPzJx
aNXbTWb4v2hXULEiN47CTYlr4EuvIaodH9o8ZIm2pK99wo1e9/mr3C4GvnDUfvdP
MF2qlegnhHyjbU8/d2HC1hGfQ+9DFLNR8nAxTq+cmzdviWbrLcNtKmifGTM09tX6
xBk8ElPAlUTDkPVfxTvvRZELby2H/Ew0vN29vwaZvHxf/53lgC14E7MRxFcOeXHI
lj4wXendyVXTzuPLoG554vg=
-----END CERTIFICATE-----
Notice that the certificates have different serial numbers. So, your example isn't a self signed certificate its a certificate signed by a self-signed CA. I'm no golang expert, but I have done TLS programming in Java, C#, C++, etc so looking at the code in https://github.com/kubernetes/kubernetes/blob/f2ddd60eb9e7e9e29f7a105a9a8fa020042e8e52/plugin/pkg/client/auth/oidc/oidc.go I see lines 87-92:
clientConfig := restclient.Config{
TLSClientConfig: restclient.TLSClientConfig{
CAFile: cfg[cfgCertificateAuthority],
CAData: certAuthData,
},
}
however after googling it looks like this is incorrect. The examples I'm finding point to getting the list of root cas and then adding the certificate to it. I've seen a few examples that look like this: https://stackoverflow.com/questions/38582937/how-to-create-a-tls-client-with-ca-certificates-in-go granted this is the same certificate pattern that your script uses (create a self signed CA, sign a cert, use the CA as the signed but that pattern is how its done in Java and C# so it makes sense.
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
