加密的 SyncIQ 原則失敗,並顯示「sslv3 alert unsupported certificate」
Summary: 加密的 SyncIQ 原則立即失敗,並出現 SSL 錯誤「sslv3 alert unsupported certificate」
Symptoms
原則開始失敗,並出現錯誤「sslv3 alert unsupported certificate」
Cause
SyncIQ 中的加密會同時使用用戶端和伺服器認證。
鏈結結束憑證「憑證已匯入伺服器/SyncIQ 的對等儲存」僅設定為使用一種類型的認證「通常只會是伺服器認證」
若要確認和檢查:
a) 從 isi_migrate.logs:
在叢集上:
--------------
# isi_for_array -sQ ' grep "An SSL handshake failure occurred while establishing" /var/log/isi_migrate.log | grep coord ' | sort | tail -5
在記錄上:
------------
$ grep -h "An SSL handshake failure occurred while establishing" */varlog.tar/log/isi_migrate.log | grep coord | sort | tail -5
預期錯誤:
---------------------
TTTTTTTTTTTTTTT <3.3> xxxxxxxxxx-4(id8) isi_migrate[57638]: coord[xxxxxxxxxx:TTTTTTTTTTTT]: siq_create_alert_internal: type: 22 (policy name: xxxxxxxxxx target: xxxxxxxxxx) SyncIQ policy failed to establish an encrypted connection with target. An SSL handshake failure occurred while establishing an encrypted connection to the target cluster. Please view the logs on the source and target for further details. SSL error string: error:14094413:SSL routines:ssl3_read_bytes:sslv3 alert unsupported certificate [ISI_TLS_ERROR_HANDSHAKE], Target: xxxxxxxxxx
b) 來自伺服器/對等憑證儲存
在叢集上:
--------------
# openssl x509 -text -noout -in /ifs/.ifsvar/modules/isi_certs/synciq/peer/zone_1/certs/<ID>.crt | grep -A1 "X509v3 Extended Key Usage"
# openssl x509 -text -noout -in /ifs/.ifsvar/modules/isi_certs/synciq/server/zone_1/certs/<ID>.crt | grep -A1 "X509v3 Extended Key Usage"
在記錄上:
------------
$ openssl x509 -text -noout -in local/ifsvar_modules.tar/modules/isi_certs/synciq/peer/zone_1/certs/<ID>.crt | grep -A1 "X509v3 Extended Key Usage"
$ openssl x509 -text -noout -in local/ifsvar_modules.tar/modules/isi_certs/synciq/server/zone_1/certs/<ID>.crt | grep -A1 "X509v3 Extended Key Usage"
上述命令的結果僅可看到「TLS Web 伺服器認證」或「TLS Web 用戶端認證」。
正確的輸出是找到「TLS Web 伺服器認證」和「TLS Web 用戶端認證」
Resolution
若要進行操作,客戶必須遵循其內部程序產生憑證簽章要求「CSR」,同時確定用於產生 CSR 的 conf 檔案包含下列內容:
extendedKeyUsage = serverAuth,clientAuth