Настраиваю кластер etcd для spilo, ввиду особенности архитектуры, использовать встроенный в spilo etcd-сервер не выйдет. Т.к. соединение для прода нужно защитить, включил обязательную авторизацию по сертам. Проблема в том, что выпущенные самоподписные сертификаты etcd воспринимает как невалидные.
etcd_1 | {"level":"warn","ts":"2025-05-16T09:27:32.647885Z","caller":"embed/config_logging.go:170","msg":"rejected connection on client endpoint","remote-addr":"<my_host>:59734","server-name":"","error":"tls: failed to verify certificate: x509: certificate specifies an incompatible key usage"}
etcd_1 | 2025/05/16 09:27:32 WARNING: [core] [Channel #5 SubChannel #7] grpc: addrConn.createTransport failed to connect to {Addr: "<my_host>:2379", ServerName: "<my_host>:2379", }. Err: connection error: desc = "error reading server preface: remote error: tls: bad certificate"
Сертификаты валидны, через curl нормально устанавливается соединение:
curl --cacert /opt/cfssl_certs/ca.pem --cert /opt/cfssl_certs/client.pem --key /opt/cfssl_certs/client-key.pem h
ttps://127.0.0.1:2379/v2/keys -v
* Trying 127.0.0.1:2379...
* Connected to 127.0.0.1 (127.0.0.1) port 2379 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* CAfile: /opt/cfssl_certs/ca.pem
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Unknown (23):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS header, Unknown (23):
* TLSv1.3 (OUT), TLS handshake, CERT verify (15):
* TLSv1.2 (OUT), TLS header, Unknown (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=RU; ST=Moscow; L=Moscow; O=ITG; OU=Server; CN=etcd-server
* start date: May 16 08:51:00 2025 GMT
* expire date: May 14 08:51:00 2035 GMT
* subjectAltName: host "127.0.0.1" matched cert's IP address!
* issuer: C=RU; ST=Moscow; L=Moscow; O=ITG; OU=CA; CN=etcd-ca
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Unknown (23):
* TLSv1.2 (OUT), TLS header, Unknown (23):
* TLSv1.2 (OUT), TLS header, Unknown (23):
* Using Stream ID: 1 (easy handle 0x56377a2b1740)
* TLSv1.2 (OUT), TLS header, Unknown (23):
> GET /v2/keys HTTP/2
> Host: 127.0.0.1:2379
> user-agent: curl/7.76.1
> accept: */*
>
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Unknown (23):
* Connection state changed (MAX_CONCURRENT_STREAMS == 4294967295)!
* TLSv1.2 (OUT), TLS header, Unknown (23):
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.2 (IN), TLS header, Unknown (23):
< HTTP/2 404
< access-control-allow-headers: accept, content-type, authorization
< access-control-allow-methods: POST, GET, OPTIONS, PUT, DELETE
< access-control-allow-origin: *
< content-type: text/plain; charset=utf-8
< x-content-type-options: nosniff
< content-length: 19
< date: Fri, 16 May 2025 09:32:24 GMT
<
* TLSv1.2 (IN), TLS header, Unknown (23):
404 page not found
* Connection #0 to host 127.0.0.1 left intact
В чем проблема? EKU у всех сертов нормальный.
Etcd запускаю в контейнере, вот env:
environment:
ETCD_NAME: etcd_1
ETCD_DATA_DIR: /var/lib/etcd
ETCD_LISTEN_PEER_URLS: https://<my_host_ip>:2380,https://127.0.0.1:2380
ETCD_INITIAL_ADVERTISE_PEER_URLS: https://<my_host_dn>:2380
ETCD_LISTEN_CLIENT_URLS: https://<my_host_ip>:2379,https://127.0.0.1:2379
ETCD_ADVERTISE_CLIENT_URLS: https://<my_host_dn>:2379
ETCD_INITIAL_CLUSTER: etcd_3=https://<my_host_dn>:2380,etcd_1=https://<my_host_dn>2380,etcd_2=https://<my_host_dn>:2380
ETCD_INITIAL_CLUSTER_TOKEN: secret_token
ETCD_INITIAL_CLUSTER_STATE: new
ETCD_LOG_OUTPUTS: stdout
ETCD_AUTO_COMPACTION_MODE: periodic
ETCD_AUTO_COMPACTION_RETENTION: 1
Ниже серт server.pem:
openssl x509 -in /opt/cfssl_certs/server.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
2f:32:9c:0f:8f:38:3e:93:00:b3:4c:12:b2:aa:a3:43:e8:e2:f4:6c
Signature Algorithm: sha512WithRSAEncryption
Issuer: C=RU, ST=Moscow, L=Moscow, O=ITG, OU=CA, CN=etcd-ca
Validity
Not Before: May 16 08:51:00 2025 GMT
Not After : May 14 08:51:00 2035 GMT
Subject: C=RU, ST=Moscow, L=Moscow, O=ITG, OU=Server, CN=etcd-server
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
modulus ya ne dam
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
AE:D5:75:6E:A7:5F:9D:AC:91:98:9C:97:A1:6E:E4:36:B0:2D:3E:39
X509v3 Authority Key Identifier:
77:E9:BB:D4:ED:A1:C2:51:A6:34:CB:E7:13:4A:1A:B9:BC:CB:B6:B2
X509v3 Subject Alternative Name:
DNS:localhost, DNS:<my_host_dn_1>, DNS:<my_host_dn_2>, DNS:<my_host_dn_3>, IP Address:127.0.0.1, IP Address:<my_host_ip_1>, IP Address:<my_host_ip_2>, IP Address:<my_host_ip_2>
Signature Algorithm: sha512WithRSAEncryption
Signature Value:
signaturu ya ne dam
Памагите((.
Простой
Средний
Средний
