ECS: Narzędzie do uzyskiwania certyfikatów SSL dla danych i zarządzania
Podsumowanie: Narzędzie certyfikatów ECS może pomóc w przesłaniu certyfikatów SSL do interfejsów danych i zarządzania ECS.
Instrukcje
Od czasu wydania ObjectScale narzędzie zostało przepisane ze względu na różne wersje języka Python między ECS i ObjectScale. Oba narzędzia są dołączone do artykułu do pobrania
- Użyj ecs_certificate_tool dla wersji 4.2 i starszych.
- Użyj obs_certificate_tool dla wersji 4.3 i nowszych.
Przed użyciem narzędzia certyfikatów ECS upewnij się, że dla interfejsów danych zostały utworzone wpisy DNS. Bez tych wpisów skrypt generowania certyfikatu kończy się niepowodzeniem, ponieważ opiera się na rozpoznawaniu nazw DNS dla interfejsów danych.
Index:
- Instalacja
- Konfiguracja
- Wyświetlanie bieżących certyfikatów
- Tworzenie żądania podpisania certyfikatu
- Creating a self-signed certificate
- Przesyłanie certyfikatu
Instalacja
- Pobierz prawidłową wersję narzędzia dołączonego do tego artykułu bazy wiedzy.
- Prześlij narzędzie do
/home/adminna jednym z węzłów ECS. - Zmień na
/home/admini wyodrębnij pakiet.
$ cd /home/admin $ unzip <ecs/obs>_certificate_tool-1.9.zip
- Zmień na katalog narzędzia certyfikatu.
$ cd <ecs/obs>_certificate_tool-1.9
- Konfiguracja poświadczeń głównego interfejsu użytkownika dla narzędzia do użycia.
$ python <ecs/obs>_certificate_tool.py configure_credentials
admin@:~/ecs_certificate_tool-1.7> python ecs_certificate_tool.py configure_credentials ecs_certificate_tool v1.7 =======> Configuring Credentials Please enter the password for the root management user: Authenticating using configured credentials..PASS Successfully configured credentials!
- Użyj narzędzia certyfikatów, aby wygenerować konfigurację alternatywnej nazwy podmiotu (SAN). Musisz ręcznie dodać atrybut
b>fqdniip-addressmodułu równoważenia obciążenia, jeśli go używasz.
python <ecs/obs>_certificate_tool.py generate_san
$ python ecs_certificate_tool.py generate_san ecs_certificate_tool v1.7 log_file: /home/admin/ecs_certificate_tool-1.7/certificate_tool.log ====================================================================== Generating SAN (subject alternative name) config. ====================================================================== ---------------------------------------------------------------------- Setting DATA_SUBJECT_ALTERNATIVE_NAME config ---------------------------------------------------------------------- Set DNS_NAMES to : ['layton-ex3000.example.com', 'ogden-ex3000.example.com', 'orem-ex3000.example.com', 'provo-ex3000.example.com', 'sandy-ex3000.example.com'] Set IP_ADDRESSES to : ['192.0.2.104', '192.0.2.105', '192.0.2.106', '192.0.2.107', '192.0.2.108'] ---------------------------------------------------------------------- Setting MANAGEMENT_SUBJECT_ALTERNATIVE_NAME config ---------------------------------------------------------------------- Set DNS_NAMES to : ['layton-ex3000.example.com', 'ogden-ex3000.example.com', 'orem-ex3000.example.com', 'provo-ex3000.example.com', 'sandy-ex3000.example.com'] Set IP_ADDRESSES to : ['192.0.2.104', '192.0.2.105', '192.0.2.106', '192.0.2.107', '192.0.2.108'] Wrote changes to: /home/admin/ecs_certificate_tool-1.7/config.ini DONE
Konfiguracja
- Pakiet
config.inito miejsce, w którym ustawiasz wszystkie wartości certyfikatu. - Jeśli nie chcesz używać wartości, pozostaw ją pustą, jak w poniższym przykładzie:
# optional unit name ORGANIZATIONAL_UNIT_NAME =
- Oto przykład domyślnej metody
config.iniWygląda:
[GENERAL] COMMON_NAME = *.ecs.example.com # Two letter country name COUNTRY_NAME = US LOCALITY_NAME = Salt Lake City STATE_OR_PROVINCE_NAME = Utah STREET_ADDRESS = 123 Example Street ORGANIZATION_NAME = Example Inc. # optional unit name ORGANIZATIONAL_UNIT_NAME = # optional email address EMAIL_ADDRESS = example@example.com [UI_CREDENTIALS] USERNAME = root PASSWORD = ChangeMe [SELF_SIGNED] # 1825 days = 5 years VALID_DAYS = 1825 [DATA_SUBJECT_ALTERNATIVE_NAME] DNS_NAMES = node1.ecs.example.com node2.ecs.example.com node3.ecs.example.com IP_ADDRESSES = 192.0.2.1 192.0.2.2 192.0.2.3 192.0.2.4 [MANAGEMENT_SUBJECT_ALTERNATIVE_NAME] DNS_NAMES = node1.ecs.example.com node2.ecs.example.com node3.ecs.example.com IP_ADDRESSES = 198.51.100.1 198.51.100.2 198.51.100.3 198.51.100.4 [ADVANCED] # Probably dont use these unless you really know what your doing SERIAL_NUMBER = SURNAME = GIVEN_NAME = TITLE = GENERATION_QUALIFIER = X500_UNIQUE_IDENTIFIER = DN_QUALIFIER = PSEUDONYM = USER_ID = DOMAIN_COMPONENT = JURISDICTION_COUNTRY_NAME = JURISDICTION_LOCALITY_NAME = BUSINESS_CATEGORY = POSTAL_ADDRESS = POSTAL_CODE = INN = OGRN = SNILS = UNSTRUCTURED_NAME =
Wyświetlanie bieżących certyfikatów
- Uruchom
ecs_certificate_tool view_certsOperacji.
$ python <ecs/obs>_certificate_tool.py view_certs
ecs_certificate_tool v7.0
log_file: /home/admin/ecs_certificate_tool-1.0/certificate_tool.log
Authenticating using configured credentials..PASS
----------------------------------------------------------------------
View certificates
----------------------------------------------------------------------
======================================================================
Data Certificate:
======================================================================
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
3b:0f:a3:e2:fa:0a:90:14:86:6c:a3:3a:26:5c:0b:8d:6e:18:7d:eb
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=*.ecs.example.com, C=US, L=Salt Lake City, ST=Utah/street=123 Example Street, O=Example Inc./emailAddress=example@example.com
Validity
Not Before: Oct 17 18:35:06 2020 GMT
Not After : Oct 16 18:35:06 2025 GMT
Subject: CN=*.ecs.example.com, C=US, L=Salt Lake City, ST=Utah/street=123 Example Street, O=Example Inc./emailAddress=example@example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ad:13:ea:31:bb:13:30:fc:ad:75:1a:84:16:53:
76:9d:0d:96:60:69:04:70:ad:00:76:c5:e4:f0:39:
3d:e3:9b:2e:2a:06:0b:ae:29:16:22:69:73:1d:2b:
27:73:68:7a:42:62:84:37:9b:7e:7f:60:48:aa:80:
14:96:07:52:ac:d5:dd:1f:af:59:3b:88:5e:15:43:
f1:9e:29:91:0a:6d:19:8e:41:4b:3c:9f:0c:64:16:
5c:c6:61:a6:c7:28:a9:9e:14:81:10:7e:4a:4f:25:
93:20:d9:5b:fe:b3:ac:56:28:f0:89:2c:e3:97:18:
df:1d:e3:1b:6d:c5:08:fb:d6:97:81:82:b1:6b:33:
45:1d:de:7a:30:5c:6d:4a:70:96:06:f8:05:48:a7:
89:ad:ce:db:99:f2:61:88:92:75:e5:cf:d2:b1:2c:
28:60:6f:5e:ba:6c:02:f4:12:90:be:eb:6d:48:ae:
b2:3a:6e:76:a6:02:b1:9e:f7:95:2c:65:8a:80:1a:
64:52:ec:f5:0c:2b:c8:87:a7:e5:4d:f7:34:60:a5:
49:03:30:27:10:8d:ad:4e:92:52:8b:d9:6b:ad:2d:
15:60:a5:26:fc:1b:1d:69:9f:5c:a3:0f:d9:cb:b9:
1d:68:30:6c:c8:ca:e1:71:4b:88:bd:98:d7:10:ae:
89:c5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:node1.ecs.example.com, DNS:node2.ecs.example.com, DNS:node3.ecs.example.com, IP Address:192.0.2.1, IP Address:192.0.2.2, IP Address:192.0.2.3, IP Address:192.0.2.4
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage: critical
TLS Web Server Authentication
X509v3 Authority Key Identifier:
0.
Signature Algorithm: sha256WithRSAEncryption
33:85:7e:3b:fd:fd:3a:35:97:17:11:2d:4d:e1:7e:03:35:82:
8a:47:30:ed:b2:f9:1b:b4:22:a2:60:00:b5:9c:aa:6c:0d:e7:
ea:c7:0a:e6:05:24:7d:bd:50:ab:23:9b:16:6a:e7:be:e9:21:
26:61:0e:e5:e1:62:7e:d8:01:3a:3e:19:14:89:c2:ef:62:a0:
17:5c:80:2b:24:6b:96:73:fa:b0:8f:4d:09:0e:69:4f:72:f0:
4d:b1:13:8d:90:4e:18:4b:82:be:fd:48:b0:c2:9d:9c:43:d9:
d9:73:e6:15:88:79:1f:3e:13:ec:c9:6f:5f:2a:08:7c:a7:5d:
b4:e1:50:0f:3c:49:e3:e4:9f:8f:dd:e0:b5:b5:2d:d8:2d:29:
94:2d:4b:66:20:36:f0:ae:3a:ae:a4:c5:91:3c:f4:2a:d6:f5:
24:ec:7b:3a:96:d6:75:91:f9:b3:1c:8a:93:87:1b:d7:f2:f7:
72:4d:0c:02:b9:2e:ab:f6:76:ca:c5:74:39:e0:a0:54:2b:85:
4d:dd:e6:c7:fc:d0:e7:bc:3e:9e:98:19:e5:ed:ad:5f:4b:ea:
20:17:c5:23:eb:09:ad:8e:13:57:75:78:f9:68:bb:18:34:fc:
3a:26:94:90:5e:ed:a6:09:bb:14:5c:bd:2e:d3:5b:c4:43:08:
66:95:e7:ee
======================================================================
Management Certificate:
======================================================================
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
3b:0f:a3:e2:fa:0a:90:14:86:6c:a3:3a:26:5c:0b:8d:6e:18:7d:eb
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=*.ecs.example.com, C=US, L=Salt Lake City, ST=Utah/street=123 Example Street, O=Example Inc./emailAddress=example@example.com
Validity
Not Before: Oct 17 18:35:06 2020 GMT
Not After : Oct 16 18:35:06 2025 GMT
Subject: CN=*.ecs.example.com, C=US, L=Salt Lake City, ST=Utah/street=123 Example Street, O=Example Inc./emailAddress=example@example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ad:13:ea:31:bb:13:30:fc:ad:75:1a:84:16:53:
76:9d:0d:96:60:69:04:70:ad:00:76:c5:e4:f0:39:
3d:e3:9b:2e:2a:06:0b:ae:29:16:22:69:73:1d:2b:
27:73:68:7a:42:62:84:37:9b:7e:7f:60:48:aa:80:
14:96:07:52:ac:d5:dd:1f:af:59:3b:88:5e:15:43:
f1:9e:29:91:0a:6d:19:8e:41:4b:3c:9f:0c:64:16:
5c:c6:61:a6:c7:28:a9:9e:14:81:10:7e:4a:4f:25:
93:20:d9:5b:fe:b3:ac:56:28:f0:89:2c:e3:97:18:
df:1d:e3:1b:6d:c5:08:fb:d6:97:81:82:b1:6b:33:
45:1d:de:7a:30:5c:6d:4a:70:96:06:f8:05:48:a7:
89:ad:ce:db:99:f2:61:88:92:75:e5:cf:d2:b1:2c:
28:60:6f:5e:ba:6c:02:f4:12:90:be:eb:6d:48:ae:
b2:3a:6e:76:a6:02:b1:9e:f7:95:2c:65:8a:80:1a:
64:52:ec:f5:0c:2b:c8:87:a7:e5:4d:f7:34:60:a5:
49:03:30:27:10:8d:ad:4e:92:52:8b:d9:6b:ad:2d:
15:60:a5:26:fc:1b:1d:69:9f:5c:a3:0f:d9:cb:b9:
1d:68:30:6c:c8:ca:e1:71:4b:88:bd:98:d7:10:ae:
89:c5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:node1.ecs.example.com, DNS:node2.ecs.example.com, DNS:node3.ecs.example.com, IP Address:192.0.2.1, IP Address:192.0.2.2, IP Address:192.0.2.3, IP Address:192.0.2.4
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage: critical
TLS Web Server Authentication
X509v3 Authority Key Identifier:
0.
Signature Algorithm: sha256WithRSAEncryption
33:85:7e:3b:fd:fd:3a:35:97:17:11:2d:4d:e1:7e:03:35:82:
8a:47:30:ed:b2:f9:1b:b4:22:a2:60:00:b5:9c:aa:6c:0d:e7:
ea:c7:0a:e6:05:24:7d:bd:50:ab:23:9b:16:6a:e7:be:e9:21:
26:61:0e:e5:e1:62:7e:d8:01:3a:3e:19:14:89:c2:ef:62:a0:
17:5c:80:2b:24:6b:96:73:fa:b0:8f:4d:09:0e:69:4f:72:f0:
4d:b1:13:8d:90:4e:18:4b:82:be:fd:48:b0:c2:9d:9c:43:d9:
d9:73:e6:15:88:79:1f:3e:13:ec:c9:6f:5f:2a:08:7c:a7:5d:
b4:e1:50:0f:3c:49:e3:e4:9f:8f:dd:e0:b5:b5:2d:d8:2d:29:
94:2d:4b:66:20:36:f0:ae:3a:ae:a4:c5:91:3c:f4:2a:d6:f5:
24:ec:7b:3a:96:d6:75:91:f9:b3:1c:8a:93:87:1b:d7:f2:f7:
72:4d:0c:02:b9:2e:ab:f6:76:ca:c5:74:39:e0:a0:54:2b:85:
4d:dd:e6:c7:fc:d0:e7:bc:3e:9e:98:19:e5:ed:ad:5f:4b:ea:
20:17:c5:23:eb:09:ad:8e:13:57:75:78:f9:68:bb:18:34:fc:
3a:26:94:90:5e:ed:a6:09:bb:14:5c:bd:2e:d3:5b:c4:43:08:
66:95:e7:ee
DONE
Z poniższej listy wybierz typ certyfikatu, który chcesz utworzyć:
Tworzenie żądania podpisania certyfikatu
Zastosowanie:
ecs_certificate_tool v1.3
usage: ecs_certificate_tool.py create_csr [-h] [-k {1024,2048,4096}] (-d | -m)
optional arguments:
-h, --help show this help message and exit
-k {1024,2048,4096}, --key_size {1024,2048,4096}
Private key size for RSA private key generation
(default=2048)
-d, --data Create certificate signing request for data interface
(ports 9020, 9021, 3218) (S3, CAS, NFS, etc)
-m, --management Create certificate signing request for management
interface (WEB UI)
Tworzenie CSR dla interfejsu danych:
admin@provo-ex3000:~/ecs_certificate_tool-1.0> python ./ecs_certificate_tool.py create_csr -d ecs_certificate_tool v1.0 log_file: /home/admin/ecs_certificate_tool-1.0/certificate_tool.log ---------------------------------------------------------------------- Validating REST API Credentials ---------------------------------------------------------------------- Authenticating using configured credentials..PASS ---------------------------------------------------------------------- Validating GENERAL configuration ---------------------------------------------------------------------- Validating COMMON_NAME = *.ecs.example.com..PASS Validating COUNTRY_NAME = US..PASS Validating LOCALITY_NAME = Salt Lake City..PASS Validating STATE_OR_PROVINCE_NAME = Utah..PASS Validating STREET_ADDRESS = 123 Example Street..PASS Validating ORGANIZATION_NAME = Example Inc...PASS Validating EMAIL_ADDRESS = example@example.com..PASS ---------------------------------------------------------------------- Validating DNS_NAMES configuration ---------------------------------------------------------------------- Validating DNSName: node1.ecs.example.com..PASS Validating DNSName: node2.ecs.example.com..PASS Validating DNSName: node3.ecs.example.com..PASS ---------------------------------------------------------------------- Validating IP_ADDRESSES configuration ---------------------------------------------------------------------- Validating IPv4Address: 192.0.2.1..PASS Validating IPv4Address: 192.0.2.2..PASS Validating IPv4Address: 192.0.2.3..PASS Validating IPv4Address: 192.0.2.4..PASS Validating SELF_SIGNED..PASS All configurations items validated successfully! Creating RSA private key..DONE Wrote private key to /home/admin/ecs_certificate_tool-1.0/FNM00181300310-data_private.key ---------------------------------------------------------------------- Certificate Signing Request ---------------------------------------------------------------------- Creating Certificate Signing Request..DONE Wrote certificate signing request to /home/admin/ecs_certificate_tool-1.0/FNM00181300310-data.csr
Tworzenie CSR dla interfejsu zarządzania:
admin@provo-ex3000:~/ecs_certificate_tool-1.0> python ./ecs_certificate_tool.py create_csr -m ecs_certificate_tool v1.0 log_file: /home/admin/ecs_certificate_tool-1.0/certificate_tool.log ---------------------------------------------------------------------- Validating REST API Credentials ---------------------------------------------------------------------- Authenticating using configured credentials..PASS ---------------------------------------------------------------------- Validating GENERAL configuration ---------------------------------------------------------------------- Validating COMMON_NAME = *.ecs.example.com..PASS Validating COUNTRY_NAME = US..PASS Validating LOCALITY_NAME = Salt Lake City..PASS Validating STATE_OR_PROVINCE_NAME = Utah..PASS Validating STREET_ADDRESS = 123 Example Street..PASS Validating ORGANIZATION_NAME = Example Inc...PASS Validating EMAIL_ADDRESS = example@example.com..PASS ---------------------------------------------------------------------- Validating DNS_NAMES configuration ---------------------------------------------------------------------- Validating DNSName: node1.ecs.example.com..PASS Validating DNSName: node2.ecs.example.com..PASS Validating DNSName: node3.ecs.example.com..PASS ---------------------------------------------------------------------- Validating IP_ADDRESSES configuration ---------------------------------------------------------------------- Validating IPv4Address: 198.51.100.1..PASS Validating IPv4Address: 198.51.100.2..PASS Validating IPv4Address: 198.51.100.3..PASS Validating IPv4Address: 198.51.100.4..PASS Validating SELF_SIGNED..PASS All configurations items validated successfully! Creating RSA private key..DONE Wrote private key to /home/admin/ecs_certificate_tool-1.0/FNM00181300310-management_private.key ---------------------------------------------------------------------- Certificate Signing Request ---------------------------------------------------------------------- Creating Certificate Signing Request..DONE Wrote certificate signing request to /home/admin/ecs_certificate_tool-1.0/FNM00181300310-management.csr
Creating a self-signed certificate
Zastosowanie:
ecs_certificate_tool v1.3
usage: ecs_certificate_tool.py create_ssc [-h] [-k {1024,2048,4096}] (-d | -m)
optional arguments:
-h, --help show this help message and exit
-k {1024,2048,4096}, --key_size {1024,2048,4096}
Private key size for RSA private key generation
(default=2048)
-d, --data Create self-signed certificate for data interface
(ports 9020, 9021, 3218) (S3, CAS, NFS, etc)
-m, --management Create self-signed certificate for management
interface (WEB UI)
Tworzenie certyfikatu z podpisem własnym dla interfejsu danych:
admin@provo-ex3000:~/ecs_certificate_tool-1.0> python ./ecs_certificate_tool.py create_ssc -d ecs_certificate_tool v1.0 log_file: /home/admin/ecs_certificate_tool-1.0/certificate_tool.log ---------------------------------------------------------------------- Validating REST API Credentials ---------------------------------------------------------------------- Authenticating using configured credentials..PASS ---------------------------------------------------------------------- Validating GENERAL configuration ---------------------------------------------------------------------- Validating COMMON_NAME = *.ecs.example.com..PASS Validating COUNTRY_NAME = US..PASS Validating LOCALITY_NAME = Salt Lake City..PASS Validating STATE_OR_PROVINCE_NAME = Utah..PASS Validating STREET_ADDRESS = 123 Example Street..PASS Validating ORGANIZATION_NAME = Example Inc...PASS Validating EMAIL_ADDRESS = example@example.com..PASS ---------------------------------------------------------------------- Validating DNS_NAMES configuration ---------------------------------------------------------------------- Validating DNSName: node1.ecs.example.com..PASS Validating DNSName: node2.ecs.example.com..PASS Validating DNSName: node3.ecs.example.com..PASS ---------------------------------------------------------------------- Validating IP_ADDRESSES configuration ---------------------------------------------------------------------- Validating IPv4Address: 192.0.2.1..PASS Validating IPv4Address: 192.0.2.2..PASS Validating IPv4Address: 192.0.2.3..PASS Validating IPv4Address: 192.0.2.4..PASS Validating SELF_SIGNED..PASS All configurations items validated successfully! Creating RSA private key..DONE Wrote private key to /home/admin/ecs_certificate_tool-1.0/FNM00181300310-data_private.key ---------------------------------------------------------------------- Self-signed certificate ---------------------------------------------------------------------- Creating self-signed certificate..DONE Wrote Certificate to: /home/admin/ecs_certificate_tool-1.0/FNM00181300310-data.crt admin@provo-ex3000:~/ecs_certificate_tool-1.0>
Tworzenie certyfikatu z podpisem własnym dla interfejsu zarządzania:
admin@provo-ex3000:~/ecs_certificate_tool-1.0> python ./ecs_certificate_tool.py create_ssc -m ecs_certificate_tool v1.0 log_file: /home/admin/ecs_certificate_tool-1.0/certificate_tool.log ---------------------------------------------------------------------- Validating REST API Credentials ---------------------------------------------------------------------- Authenticating using configured credentials..PASS ---------------------------------------------------------------------- Validating GENERAL configuration ---------------------------------------------------------------------- Validating COMMON_NAME = *.ecs.example.com..PASS Validating COUNTRY_NAME = US..PASS Validating LOCALITY_NAME = Salt Lake City..PASS Validating STATE_OR_PROVINCE_NAME = Utah..PASS Validating STREET_ADDRESS = 123 Example Street..PASS Validating ORGANIZATION_NAME = Example Inc...PASS Validating EMAIL_ADDRESS = example@example.com..PASS ---------------------------------------------------------------------- Validating DNS_NAMES configuration ---------------------------------------------------------------------- Validating DNSName: node1.ecs.example.com..PASS Validating DNSName: node2.ecs.example.com..PASS Validating DNSName: node3.ecs.example.com..PASS ---------------------------------------------------------------------- Validating IP_ADDRESSES configuration ---------------------------------------------------------------------- Validating IPv4Address: 198.51.100.1..PASS Validating IPv4Address: 198.51.100.2..PASS Validating IPv4Address: 198.51.100.3..PASS Validating IPv4Address: 198.51.100.4..PASS Validating SELF_SIGNED..PASS All configurations items validated successfully! Creating RSA private key..DONE Wrote private key to /home/admin/ecs_certificate_tool-1.0/FNM00181300310-management_private.key ---------------------------------------------------------------------- Self-signed certificate ---------------------------------------------------------------------- Creating self-signed certificate..DONE Wrote Certificate to: /home/admin/ecs_certificate_tool-1.0/FNM00181300310-management.crt
Przesyłanie certyfikatu
Jeśli używasz certyfikatu z podpisem własnym wygenerowanego przez to narzędzie, klucz prywatny i certyfikat znajdują się już w bieżącym katalogu.
Jeśli masz certyfikat podpisany przez urząd certyfikacji, prześlij go do ECS i umieść w katalogu narzędzi certyfikatów.
Certyfikat danych
Polecenie:
$ python ecs_certificate_tool.py upload_certificate -c <path to certificate> -p <path to private key> --data
Przykład:
admin@provo-ex3000:~/ecs_certificate_tool-1.0> python ecs_certificate_tool.py upload_certificate -c ./FNM00181300310-data.crt -p FNM00181300310-data_private.key --data ecs_certificate_tool v1.0 log_file: /home/admin/ecs_certificate_tool-1.0/certificate_tool.log ---------------------------------------------------------------------- Upload Certificate ---------------------------------------------------------------------- Authenticating using configured credentials..PASS Reading certificate from: ./FNM00181300310-data.crt..DONE Reading private key from: FNM00181300310-data_private.key..DONE Verifying the private key matches the certificate..DONE Uploading the certificate to ECS..DONE admin@provo-ex3000:~/ecs_certificate_tool-1.0>
Po przesłaniu certyfikatu dostępne są dwie opcje:
- Poczekaj 2 godziny na
dataheadsvc, aby rozpowszechnić nowy certyfikat w klastrze. - Ręczne ponowne uruchomienie
dataheadsvcw węźle, z którego uruchomiono narzędzie, ale może to mieć krótki wpływ.
Polecenie ponownego uruchomienia dataheadsvc:
# sudo kill -9 `pidof dataheadsvc`
Certyfikat zarządzania
Polecenie:
$ python ./ecs_certificate_tool.py upload_certificate -c <path to certificate> -p <path to private key> --management
Przykład:
admin@provo-ex3000:~/ecs_certificate_tool-1.0> python ./ecs_certificate_tool.py upload_certificate -c ./FNM00181300310-management.crt -p FNM00181300310-management_private.key -m ecs_certificate_tool v1.0 log_file: /home/admin/ecs_certificate_tool-1.0/certificate_tool.log ---------------------------------------------------------------------- Upload Certificate ---------------------------------------------------------------------- Authenticating using configured credentials..PASS Reading certificate from: ./FNM00181300310-management.crt..DONE Reading private key from: FNM00181300310-management_private.key..DONE Verifying the private key matches the certificate..DONE Uploading the certificate to ECS..DONE
Po przesłaniu nowego certyfikatu zarządzania należy wykonać stopniowe ponowne uruchomienia objcontrolsvc/nginx w klastrze. Może to mieć minimalny wpływ na dostęp do interfejsu użytkownika.
- Wygeneruj plik MACHINES dla całego klastra:
$ sudo getclusterinfo -a /root/MACHINES.VDC && sudo viprscp -f /root/MACHINES.VDC /root/MACHINES.VDC /root/;sudo viprscp -f /root/MACHINES.VDC /root/MACHINES.VDC /home/admin/;sudo viprexec -i -f /home/admin/MACHINES.VDC "pingall; md5sum /root/MACHINES.VDC /home/admin/MACHINES.VDC"
- Ponowne uruchomienie
objcontrolsvcW klastrze:
$ viprexec -f ~/MACHINES.VDC -i 'pidof objcontrolsvc; kill -9 `pidof objcontrolsvc`; sleep 60; pidof objcontrolsvc'
- Ponowne uruchomienie
nginxW klastrze:
$ viprexec -f ~/MACHINES.VDC -i -c "/etc/init.d/nginx restart;sleep 60;/etc/init.d/nginx status"
Certyfikat geograficzny
Polecenie:
# python obs_certificate_tool.py create_csr -g --vdc_id <VDC_ID>
Przykład:
admin@node1:~/obs_certificate_tool-1.9> python obs_certificate_tool.py create_csr -g --vdc_id 94e608f4-b5b8-4cb1-bc3e-e49bac831b9f
obs_certificate_tool v1.9
----------------------------------------------------------------------
Validating GENERAL configuration
----------------------------------------------------------------------
Validating COMMON_NAME = *.ecs.example.com..PASS
Validating COUNTRY_NAME = US..PASS
Validating LOCALITY_NAME = Salt Lake City..PASS
Validating STATE_OR_PROVINCE_NAME = Utah..PASS
Validating STREET_ADDRESS = 123 Example Street..PASS
Validating ORGANIZATION_NAME = Example Inc...PASS
Validating EMAIL_ADDRESS = example@example.com..PASS
----------------------------------------------------------------------
Validating DNS_NAMES configuration
----------------------------------------------------------------------
Validating DNSName: node1.ecs.example.com..PASS
Validating DNSName: node2.ecs.example.com..PASS
Validating DNSName: node3.ecs.example.com..PASS
----------------------------------------------------------------------
Validating IP_ADDRESSES configuration
----------------------------------------------------------------------
Validating IPv4Address: 192.0.2.1..PASS
Validating IPv4Address: 192.0.2.2..PASS
Validating IPv4Address: 192.0.2.3..PASS
Validating IPv4Address: 192.0.2.4..PASS
Validating SELF_SIGNED..PASS
All configurations items validated successfully!
Creating RSA private key..DONE
Wrote private key to /home/admin/obs_certificate_tool-1.9/generated_files/HHL6704-geo_private.key
----------------------------------------------------------------------
Certificate Signing Request
----------------------------------------------------------------------
Creating Certificate Signing Request..Added VDC ID URN to SAN: urn:storageos:VirtualDataCenterData:94e608f4-b5b8-4cb1-bc3e-e49bac831b9f
DONE
Wrote certificate signing request to /home/admin/obs_certificate_tool-1.9/generated_files/HHL6704-geo.csr
Sprawdź certyfikat geograficzny:
# openssl req -in generated_files/HHL6704-geo.csr -noout -text
Potwierdzić:
- SAN zawiera wszystkie nazwy DNS, adresy IP i identyfikator VDC
- Użycie klucza:
Digital Signature, Key Encipherment(bez odmowy) - Rozszerzone użycie klucza:
TLS Web Server Authentication, TLS Web Client Authentication - Identyfikator klucza podmiotu jest dostępny
- Klucz prywatny zaczyna się od
-----BEGIN PRIVATE KEY-----
Przykładowe certyfikaty
Pełny łańcuch (root/intermediate/ecs)
-----BEGIN CERTIFICATE----- <content of your ECS certificate> -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- <content of intermediate certificate> -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- <content of root certificate> -----END CERTIFICATE-----
Dodatkowe informacje
Informacje dotyczące wydania:
12/12/2020 1.0 - Fix outputting when password not configured in config.ini during view_certs operation
02/12/2021 1.1 - Support different hostnames for data/management interfaces #3
- Rewrote view_certs so it works if no certs have been uploaded yet. #2
- backup original certifiate before uploading new one. #1
04/07/2021 1.2 - nuke certs #10
- fix urllib3 warnings
- fix logging
- output additional info when viewing certs #9
07/06/2021 1.3 - Support 1024/2048/4096 private key sizes #14
09/24/2021 1.4 - #18 - Fix bug in get_issuer
- #19 - Remove sudo requirement and force admin user
- #23 - Handle Credentials with ?{}|&~![()^"
10/08/2021 1.5 - #25 - admin userid 1001
1.6 - Set log file permissions to 0755 and chown os.geteuid/os.getegid
- fix userid check
05/11/2025 1.7 - added ObjectScale compatible tool , changed the minimum key length for ObjectScale and added Readme
08/12/2025 1.8 - added support for ObjectScale 4.2 - python 3.12 compatible
11/25/2025 1.9 - added support for geo certificate generation with VDC ID in SAN
Działania:
admin@provo-ex3000:~/ecs_certificate_tool-0.9> sudo python ./ecs_certificate_tool.py -h
ecs_certificate_tool v0.9
log_file: /home/admin/ecs_certificate_tool-0.9/certificate_tool.log
usage: ecs_certificate_tool.py [-h]
{view_certs,generate_san,create_csr,create_ssc,upload_certificate}
...
positional arguments:
{view_certs,generate_san,create_csr,create_ssc,upload_certificate}
sub-command help
view_certs Shows the current certificates on the data and
management interfaces
generate_san Generates the subject alternative name IP addresses
and domain names from fabric and adds them to the ini
config file
create_csr Create certificate signing request
create_ssc Create self-signed certificate
upload_certificate Upload certificate to the data interface
optional arguments:
-h, --help show this help message and exit
Utwórz żądanie podpisania certyfikatu:
admin@provo-ex3000:~/ecs_certificate_tool-0.9> sudo python ./ecs_certificate_tool.py create_csr -h
ecs_certificate_tool v1.3
usage: ecs_certificate_tool.py create_csr [-h] [-k {1024,2048,4096}] (-d | -m)
optional arguments:
-h, --help show this help message and exit
-k {1024,2048,4096}, --key_size {1024,2048,4096}
Private key size for RSA private key generation
(default=2048)
-d, --data Create certificate signing request for data interface
(ports 9020, 9021, 3218) (S3, CAS, NFS, etc)
-m, --management Create certificate signing request for management
interface (WEB UI)
Utwórz certyfikat z podpisem własnym:
admin@provo-ex3000:~/ecs_certificate_tool-0.9> sudo python ./ecs_certificate_tool.py create_ssc -h
ecs_certificate_tool v1.3
usage: ecs_certificate_tool.py create_ssc [-h] [-k {1024,2048,4096}] (-d | -m)
optional arguments:
-h, --help show this help message and exit
-k {1024,2048,4096}, --key_size {1024,2048,4096}
Private key size for RSA private key generation
(default=2048)
-d, --data Create self-signed certificate for data interface
(ports 9020, 9021, 3218) (S3, CAS, NFS, etc)
-m, --management Create self-signed certificate for management
interface (WEB UI)
Prześlij certyfikat:
admin@provo-ex3000:~/ecs_certificate_tool-0.9> sudo python ./ecs_certificate_tool.py upload_certificate -h
ecs_certificate_tool v0.9
log_file: /home/admin/ecs_certificate_tool-0.9/certificate_tool.log
usage: ecs_certificate_tool.py upload_certificate [-h] -c CERTIFICATE -p
PRIVATE_KEY (-d | -m)
optional arguments:
-h, --help show this help message and exit
-c CERTIFICATE, --certificate CERTIFICATE
Filepath to the data certificate
-p PRIVATE_KEY, --private_key PRIVATE_KEY
Filepath to private key with no password
-d, --data Upload certificate to the data interface
-m, --management Upload certificate to the management interface
Certyfikaty należy sformatować w następujący sposób:
——BEGIN CERTIFICATE—— host certificate ——END CERTIFICATE—— ——BEGIN CERTIFICATE—— intermediate certificate ——END CERTIFICATE—— ——BEGIN CERTIFICATE—— root certificate ——END CERTIFICATE——