[TOC]

openssl证书生成

问题

golang 1.15+版本上,用 gRPC通过TLS实现数据传输加密时,会报错证书的问题

rpc error: code = Unavailable desc = connection error: desc = "transport: authentication ha
ndshake failed: x509: certificate is valid for www.eline.com, not xxx"
panic: rpc error: code = Unavailable desc = connection error: desc = "transport: authentication handshake failed: x509: certificate is valid for www.eline.com, not xxx"

造成的起因是因为咱们用的证书,并没有开启SAN扩大(默认是没有开启SAN扩大)所生成的

导致客户端和服务端无奈建设连贯

开始解决问题

应用开启扩大SAN的证书

什么是 SAN

SAN(Subject Alternative Name) 是 SSL 规范 x509 中定义的一个扩大。应用了 SAN 字段的 SSL 证书,能够扩大此证书反对的域名,使得一个证书能够反对多个不同域名的解析。

生成CA根证书

新建 ca.conf

vim ca.conf

写入内容如下:

[ req ]default_bits       = 4096distinguished_name = req_distinguished_name[ req_distinguished_name ]countryName                 = Country Name (2 letter code)countryName_default         = CNstateOrProvinceName         = State or Province Name (full name)stateOrProvinceName_default = JiangSulocalityName                = Locality Name (eg, city)localityName_default        = NanJingorganizationName            = Organization Name (eg, company)organizationName_default    = SheldcommonName                  = Common Name (e.g. server FQDN or YOUR name)commonName_max              = 64commonName_default          = Ted CA Test

生成ca秘钥,失去ca.key

openssl genrsa -out ca.key 4096

生成ca证书签发申请,失去ca.csr

openssl req \  -new \  -sha256 \  -out ca.csr \  -key ca.key \  -config ca.conf

shell交互时一路回车就行

生成ca根证书,失去ca.crt

openssl x509 \    -req \    -days 3650 \    -in ca.csr \    -signkey ca.key \    -out ca.crt

生成终端用户证书

筹备配置文件,失去server.conf

新建 server.conf

vim server.conf

写入内容如下:

[ req ]default_bits       = 2048distinguished_name = req_distinguished_namereq_extensions     = req_ext[ req_distinguished_name ]countryName                 = Country Name (2 letter code)countryName_default         = CNstateOrProvinceName         = State or Province Name (full name)stateOrProvinceName_default = JiangSulocalityName                = Locality Name (eg, city)localityName_default        = NanJingorganizationName            = Organization Name (eg, company)organizationName_default    = SheldcommonName                  = Common Name (e.g. server FQDN or YOUR name)commonName_max              = 64commonName_default          = xiamotong    # 此处尤为重要,须要用该服务名字填写到客户端的代码中[ req_ext ]subjectAltName = @alt_names[alt_names]DNS.1   = www.eline.comIP      = 127.0.0.1

生成秘钥,失去server.key

openssl genrsa -out server.key 2048

生成证书签发申请,失去server.csr

openssl req \  -new \  -sha256 \  -out server.csr \  -key server.key \  -config server.conf

shell交互时一路回车就行

用CA证书生成终端用户证书,失去server.crt

openssl x509 \  -req \  -days 3650 \  -CA ca.crt \  -CAkey ca.key \  -CAcreateserial \  -in server.csr \  -out server.pem\  -extensions req_ext \  -extfile server.conf

当初证书曾经生成结束, server.pem 和 server.key就是咱们须要的证书和密钥

服务端代码:

creds, err := credentials.NewServerTLSFromFile("./keys/server.pem", "./keys/server.key")

客户端代码:

creds, err := credentials.NewClientTLSFromFile("./keys/server.pem", "xiaomotong")

好了,本次就到这里,下一次分享 gRPC的interceptor

技术是凋谢的,咱们的心态,更应是凋谢的。拥抱变动,背阴而生,致力向前行。

我是小魔童哪吒,欢送点赞关注珍藏,下次见~