x509:证书对* .xyz.net有效,对docker.abc.xyz.net无效 [英] x509: certificate is valid for *.xyz.net, not docker.abc.xyz.net
问题描述
我正在尝试登录公司的私有Docker存储库.当我尝试登录时:
I am trying to login to a company's private docker repository. When I try to login with:
docker login docker.abc.xyz.net
它仅返回此错误:
Error response from daemon: Get https://docker.abc.xyz.net/v1/users/: x509: certificate is valid for *.xyz.net, xyg.net, not docker.abc.xyz.net
我们有一个 ca.cert ,我将其放在以下位置:
We have a ca.cert, which I have put at the following location:
/Users/myName/etc/docker/certs.d/docker.abc.xyz.net/ca.cert
我也尝试过将它放在这里:
I also tried putting it here:
/private/etc/docker/certs.d/docker.abc.xyz.net/ca.cert
最后使用此命令尝试获取证书的钥匙串访问权限:
and finally used this command to try to get keychain access for the cert:
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ca.crt
我什至完全授予了该证书的访问权,以查看是否可以提取该证书.我也尝试过重新启动docker,但是没有任何东西接受我的证书.还有其他人有什么想法可能阻止Docker Mac上的登录尝试吗?
I even gave full access to the cert to see if that would be picked up. I have tried restarting docker as well, but nothing is accepting my certificate. Does anyone else have any ideas what might be preventing the login attempt on Docker Mac?
--------------
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
6c:ac:dd:00:bf:96:38:c3
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=ON DWCC Unclass Testing CA-1
Validity
Not Before: Jun 6 19:40:49 2016 GMT
Not After : Jun 6 19:40:49 2018 GMT
Subject: C=US, O=Navy, OU=ONI, CN=docker.abc.xyz.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
keyid:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:docker.abc.xyz.net
Signature Algorithm: sha256WithRSAEncryption
推荐答案
这实际上是正确的,符合标准的行为. *.xyz.net 通配符证书对 abc.xyz.net 或 docker.xyz.net 有效,但对 docker无效.abc.xyz.net .
This is actually correct, standards-compliant behavior. A *.xyz.net wildcard certificate is valid for abc.xyz.net or docker.xyz.net, but not docker.abc.xyz.net.
引用>直接针对此主题的问题的答案,然后引用 RFC 2818 :
Quoting the answer to a question directly focused on this topic, in turn quoting RFC 2818:
使用由指定的匹配规则执行匹配 RFC2459 .如果存在多个给定类型的标识证书(例如,多个dNSName名称,任何一个都匹配)可以接受.)名称中可能包含通配符字符
*被认为与任何单个域名匹配组件或组件片段.例如,*.a.com与foo.a.com匹配,但不是bar.foo.a.com.f * .com匹配foo.com,但不匹配bar.com.
Matching is performed using the matching rules specified by RFC2459. If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.) Names may contain the wildcard character
*which is considered to match any single domain name component or component fragment. E.g.,*.a.commatchesfoo.a.combut notbar.foo.a.com.f*.commatchesfoo.combut notbar.com.
如果无法完全重新生成证书,请考虑在证书中添加适当的SubjectAltName.
Consider adding an appropriate SubjectAltName to your certificate, if you can't regenerate it altogether.
这篇关于x509:证书对* .xyz.net有效,对docker.abc.xyz.net无效的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
