💬
生活总是这样。
💻
最近在看 grpc tls 认证,发现使用 go1.16 版本证书的生成相较之前会麻烦挺多,证书生成参考
# 生成 ca 证书密钥
ronething at ronething-dell-ubuntu in ~/Documents/grpc-sample/tls
$ openssl genrsa -out ca.key 2048
# 生成 ca 证书公钥
ronething at ronething-dell-ubuntu in ~/Documents/grpc-sample/tls
$ openssl req -new -x509 -days 3650 -key ca.key -out ca.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:GZ
Locality Name (eg, city) []:GZ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ronething
Organizational Unit Name (eg, section) []:ronething
Common Name (e.g. server FQDN or YOUR name) []:localhost
Email Address []:
# 用 openssl 生成 ca 和双方 SAN 证书
# ubuntu 16.04 -> /etc/ssl/openssl.cnf 需要进行一些修改
# 1、找到 [ CA_default ] 取消注释 # copy_extensions = copy
# 2、找到[ req ] 取消注释 # req_extensions = v3_req # The extensions to add to a certificate request
# 找到[ v3_req ] 添加 subjectAltName = @alt_names
# 添加新的标签 [ alt_names ] 和标签字段
[ alt_names ]
DNS.1 = localhost
DNS.2 = *.ronething.cn
DNS.3 = *.ronething.com
# 生成服务端 SAN 证书
openssl genpkey -algorithm RSA -out server.key
openssl req -new -nodes -key server.key -out server.csr -days 3650 -subj "/C=CN/OU=ronething/OU=ronething/CN=localhost" -config ./openssl.cnf -extensions v3_req
openssl x509 -req -days 3650 -in server.csr -out server.pem -CA ca.pem -CAkey ca.key -CAcreateserial -extfile ./openssl.cnf -extensions v3_req
ronething at ronething-dell-ubuntu in ~/Documents/grpc-sample/tls (master●)
$ ll
total 40K
-rw-rw-r-- 1 ronething ronething 1.7K Apr 8 00:30 ca.key
-rw-rw-r-- 1 ronething ronething 1.3K Apr 8 00:52 ca.pem
-rw-rw-r-- 1 ronething ronething 17 Apr 8 00:58 ca.srl
-rw-r--r-- 1 ronething ronething 11K Apr 8 00:50 openssl.cnf
-rw-rw-r-- 1 ronething ronething 156 Apr 8 01:09 README.md
-rw-rw-r-- 1 ronething ronething 741 Apr 8 00:55 server.csr
-rw-rw-r-- 1 ronething ronething 916 Apr 8 00:51 server.key
-rw-rw-r-- 1 ronething ronething 1.1K Apr 8 00:58 server.pem
# 启动 server
ronething at ronething-dell-ubuntu in ~/Documents/grpc-sample/cmd/server (master●)
$ export GRPC_GO_LOG_SEVERITY_LEVEL=INFO
ronething at ronething-dell-ubuntu in ~/Documents/grpc-sample/cmd/server (master●)
$ ./server
INFO: 2021/04/08 01:58:54 Listen on 127.0.0.1:50052 with TLS
# 启动 client
ronething at ronething-dell-ubuntu in ~/Documents/grpc-sample/cmd/server (master●)
$ export GRPC_GO_LOG_SEVERITY_LEVEL=INFO
ronething at ronething-dell-ubuntu in ~/Documents/grpc-sample/cmd/client (master●)
$ ./client
INFO: 2021/04/08 01:59:25 [core] parsed scheme: ""
INFO: 2021/04/08 01:59:25 [core] scheme "" not registered, fallback to default scheme
INFO: 2021/04/08 01:59:25 [core] ccResolverWrapper: sending update to cc: {[{127.0.0.1:50052 <nil> 0 <nil>}] <nil> <nil>}
INFO: 2021/04/08 01:59:25 [core] ClientConn switching balancer to "pick_first"
INFO: 2021/04/08 01:59:25 [core] Channel switches to new LB policy "pick_first"
INFO: 2021/04/08 01:59:25 [core] Subchannel Connectivity change to CONNECTING
INFO: 2021/04/08 01:59:25 [core] blockingPicker: the picked transport is not ready, loop back to repick
INFO: 2021/04/08 01:59:25 [core] Subchannel picks a new address "127.0.0.1:50052" to connect
INFO: 2021/04/08 01:59:25 [core] Channel Connectivity change to CONNECTING
INFO: 2021/04/08 01:59:25 [core] Subchannel Connectivity change to READY
INFO: 2021/04/08 01:59:25 [core] Channel Connectivity change to READY
INFO: 2021/04/08 01:59:25 Hello gRPC.
INFO: 2021/04/08 01:59:25 [core] Channel Connectivity change to SHUTDOWN
INFO: 2021/04/08 01:59:25 [core] Subchannel Connectivity change to SHUTDOWN
grpclog 不打印问题可以通过设置 GRPC_GO_LOG_SEVERITY_LEVEL 变量解决,相关代码见 grpc-auth-sample
PS: 这里只是单向认证,并没有双向认证,下次写一下双向认证以及对 RPC 方法做自定义认证的
🌞
嗯 建议是早点睡。
3602
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
