ECS：无法上传 CA 签名的管理 SSL 证书

# curl -svk -H "$TOKEN" -H "Content-type: application/xml" -H "X-EMC-REST-CLIENT: TRUE" -X PUT -d "`cat /home/admin/vcssl/server_nopass.key``cat /home/admin/vcssl/cert.cer`" https://xxx.xxx.xxx.xxx:4443/vdc/keystore

< HTTP/1.1 400 Bad Request
< Date: Wed, 27 Sep 2017 12:21:57 GMT
< Content-Type: application/xml
< Content-Length: 337
< Connection: keep-alive
* HTTP error before end of send, stop sending
<
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><error><code>1013</code><description>Bad request body</description><details>javax.xml.bind.UnmarshalException
 - with linked exception:
* Closing connection 0
* SSLv3, TLS alert, Client hello (1):
[org.apache.xerces.impl.io.MalformedByteSequenceException: Invalid byte 1 of 1-byte UTF-8 sequence.]</details><retryable>false</retryable></error>

1. 在本例中名为 cert.cer 的证书是二进制格式，而不是导致问题的 PEM。

# file <PATH_TO_SERVER_KEY> <PATH_TO_CERTIFICATE>

/home/admin/vcssl # file server_nopass.key cert.cer
server_nopass.key: PEM RSA private key
cert.cer:          data

2. 验证证书是否与服务器密钥生成的格式匹配。

# openssl x509 -in <PATH_TO_CERTIFICATE> -noout -modulus | openssl sha256
# openssl rsa -in <PATH_TO_SERVER_KEY> -noout -modulus | openssl sha256

admin@node1:~> openssl x509 -in server.crt -noout -modulus | openssl sha256 (stdin)= a7263a89f0d8aa48cc4de0c76e3ccfe0c2e4fb585ab1f39bf8c82e3c39459bb3 
admin@node1:~> openssl rsa -in server_nopass.key -noout -modulus | openssl sha256 (stdin)= a7263a89f0d8aa48cc4de0c76e3ccfe0c2e4fb585ab1f39bf8c82e3c39459bb3


 

1. 将证书从 DER 格式更改为 PEM 格式，然后重试上传命令进行解决。 

# openssl x509 -in cert.cer -inform der -outform pem -out cert.pem

2. 上传新格式化的证书。

# curl -svk -H "$TOKEN" -H "Content-type: application/xml" -H "X-EMC-REST-CLIENT: TRUE" -X PUT -d "<rotate_keycertchain><key_and_certificate><private_key>`cat /home/admin/vcssl/server_nopass.key`</private_key><certificate_chain>`cat /home/admin/vcssl/cert.pem`</certificate_chain></key_and_certificate></rotate_keycertchain>" https://`hostname -i`:4443/vdc/keystore

# curl -svk -H "$TOKEN" -H "Content-type: application/xml" -H "X-EMC-REST-CLIENT: TRUE" -X PUT -d "<rotate_keycertchain><key_and_certificate><private_key>`cat key.pem`</private_key><certificate_chain>`cat cert.cert`</certificate_chain></key_and_certificate></rotate_keycertchain>" https://`hostname -i`:4443/object-cert/keystore

* Hostname was NOT found in DNS cache
*   Trying x.x.x.x...
* Connected to x.x.x.x (x.x.x.x) port 4443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs/
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using TLSv1.0 / ECDHE-RSA-AES256-SHA
* Server certificate:
*        subject: CN=localhost
*        start date: 2017-06-14 19:58:44 GMT
*        expire date: 2027-06-12 19:58:44 GMT
*        issuer: CN=localhost
*        SSL certificate verify result: self signed certificate (18), continuing anyway.
> PUT /vdc/keystore HTTP/1.1
> User-Agent: curl/7.37.0
> Host: x.x.x.x:4443
> Accept: */*

< HTTP/1.1 200 OK
< Date: Sat, 30 Sep 2017 00:59:15 GMT
< Content-Type: application/xml
< Content-Length: 1308
< Connection: keep-alive