取得 GemFire for Kubernetes 的 SSL憑證

--- title: '取得 GemFire for Kubernetes 的 SSL憑證' disqus: hackmd --- ## Table of Contents [TOC] 尋找 GemFire Service --- ``` k get svc -A ``` >輸出範例 ``` NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE cert-manager cert-manager ClusterIP 10.109.18.59 <none> 9402/TCP 39m cert-manager cert-manager-webhook ClusterIP 10.96.126.16 <none> 443/TCP 39m default kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 80m gemfire gemfire1-locator ClusterIP None <none> 10334/TCP,4321/TCP 24m gemfire gemfire1-server ClusterIP None <none> 40404/TCP,4321/TCP 23m kube-system kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP,9153/TCP 80m services gemfire-operator-webhook-service ClusterIP 10.108.36.226 <none> 443/TCP 37m ``` 尋找 Gemfire Server pod --- ``` kubectl get pods -A ``` >輸出範例 ``` NAMESPACE NAME READY STATUS RESTARTS AGE cert-manager cert-manager-74d949c895-fvln7 1/1 Running 0 31m cert-manager cert-manager-cainjector-d9bc5979d-4npvt 1/1 Running 0 31m cert-manager cert-manager-webhook-84b7ddd796-x2rfk 1/1 Running 0 31m gemfire gemfire1-locator-0 1/1 Running 0 17m gemfire gemfire1-server-0 1/1 Running 0 15m gemfire gemfire1-server-1 1/1 Running 0 15m kube-system coredns-565d847f94-r5bn2 1/1 Running 0 72m kube-system etcd-minikube 1/1 Running 0 73m kube-system kube-apiserver-minikube 1/1 Running 0 73m kube-system kube-controller-manager-minikube 1/1 Running 0 73m kube-system kube-proxy-rnkbq 1/1 Running 0 72m kube-system kube-scheduler-minikube 1/1 Running 0 73m kube-system storage-provisioner 1/1 Running 0 73m services gemfire-operator-controller-manager-6ff55599bb-66pqf 1/1 Running 0 30m ``` 登入 Pod --- ``` kubectl exec -n gemfire gemfire1-server-0 -it -- /bin/sh ``` 執行下列指令 openssl --- >格式如後：openssl s_client -connect <gemfire-service>.<namespace>.svc.cluster.local:443 -showcerts ``` openssl s_client -connect gemfire-operator-webhook-service.services.svc.cluster.local:443 -showcerts ``` >輸出範例 ``` CONNECTED(00000005) depth=0 verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s: i: -----BEGIN CERTIFICATE----- MIIDJzCCAg+gAwIBAgIRAO1/U+3TtVE+K+HKCra5pAkwDQYJKoZIhvcNAQELBQAw ADAeFw0yMjEyMjYxMjA3MThaFw0yMzAzMjYxMjA3MThaMAAwggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQDlxB9Kex3fFPNBza/ANEKSRx2OnKrkd79VazCu VrMgl5zkz4gW/pTHkmLXTyRos6LLGv8xWwpktL+NNFDPqWCg8K/5GLrltz6ron5l AHpMTYQ9gZGXwmvux5nmAqOnRpsi/pfJNDwOTGm6Np3kuOo4+pDRhd9IbbYm5JGW u/XJlcDWOBcTEzr71Z8PLwy+pUEtYkQqZaqNJ8oH4szYbMs2uq01nIyDcgMVhXGU kwZ7IUjjRiwIt71lhPMBRxG4Dflub51qkY6woyjsQW6LrT0pllU1dYF4cXp+rg9E INgJrEg7aD2XEHr3EXoEBpihM5jS9jh+KLeTb3ABRULUIG49AgMBAAGjgZswgZgw DgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAweAYDVR0RAQH/BG4wbIItZ2Vt ZmlyZS1vcGVyYXRvci13ZWJob29rLXNlcnZpY2Uuc2VydmljZXMuc3ZjgjtnZW1m aXJlLW9wZXJhdG9yLXdlYmhvb2stc2VydmljZS5zZXJ2aWNlcy5zdmMuY2x1c3Rl ci5sb2NhbDANBgkqhkiG9w0BAQsFAAOCAQEAwPbZMa2e8+2VT6IMgwzRbgJqTvXH bpsrgx5787iSAT49IKCEbI4/Xn+JCjQ6xXJIj36OFesOVaGVLC/+sWecbxpjq7Ar xZuZeYJmwEuaFstfaLywgEPNifK018VAhgUbZJNr2MLa6cG2dzlgqi75y17QK/Ad bXhoLUCOJRGopl14qBdgxH0zQAEIs1FDnaEmy/KPnN2ee16+FupQsTic+RtXydtV w55FqSLnR2QjXp3l68j7zGa78temDFG5rSK2kqxyM9OPTP9Um+oMbKptj5OcOVlK fsIjlt7CsiqCCWBXWUFEEN217EjCUUUwl6oOpijYLpBu9YYsZJ8OMOBPNg== -----END CERTIFICATE----- --- Server certificate subject= issuer= --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 1351 bytes and written 425 bytes Verification error: unable to verify the first certificate --- New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 21 (unable to verify the first certificate) --- --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_128_GCM_SHA256 Session-ID: 4E71CB3C950D89518A1A2C302F37AAB00BAD10D77CEC64208F402413AC06AB6B Session-ID-ctx: Resumption PSK: A4032F7C12CF3169B8056222DB27A41A9832CC262229E3D97205EA22EBDB9A5B PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 604800 (seconds) TLS session ticket: 0000 - 1e 49 9d 49 bf ad c8 30-5e 7d 76 32 66 84 7d d0 .I.I...0^}v2f.}. 0010 - 9f 08 33 a7 4e f7 10 5c-63 00 11 c8 b8 63 e4 ac ..3.N..\c....c.. 0020 - 2f f9 43 b3 a0 2d 0e fb-41 90 52 96 69 6e 87 ec /.C..-..A.R.in.. 0030 - 98 63 32 a2 8f 60 72 fe-e4 72 90 d1 fe 2c ea df .c2..`r..r...,.. 0040 - 01 7c d8 76 02 13 d6 4c-97 10 47 45 3c 88 f2 dd .|.v...L..GE<... 0050 - c6 40 19 e6 98 a1 7c 18-b2 15 a2 ca 5a 0d 08 a0 .@....|.....Z... 0060 - a8 87 22 a4 c5 36 2a 63-fc 6c 9f 39 6c aa 08 e7 .."..6*c.l.9l... 0070 - c5 . Start Time: 1672058813 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) Extended master secret: no Max Early Data: 0 --- read R BLOCK ``` ###### tags: `GemFire` `Documentation`