Certificates

by Felix liu

 

OCI 证书管理

OCI 上LB的证书管理有2种方式,LB自己管理证书或者通过OCI Certificate服务管理。

 如果是LB自己管理证书,可通过下面的步骤更新

–           创建新的证书

–           通过UpdateListener更新LB listener对应的证书,https://docs.oracle.com/en-us/iaas/api/#/en/loadbalancer/20170115/Listener/UpdateListener

–           可选,删除旧的证书

如果是OCI Certificate服务管理证书,OCI Certificate服务可以简化证书续订、轮换和吊销等自动化流程。具体可参考https://blogs.oracle.com/cloudsecurity/post/automating-to-a-more-secure-connection 建议用后面这种方式

创建CA权限错误

When create CA in OCI console, I got error: Authorization failed or requested resource not found: Key Id ocid1.key.oc1.ap-mumbai-1.fbsnv34waade4.abrg6ljrgfu6rjmsaj2e3x7qdw2xc6sku55e3bnqhk37aacviuofgl7l6enq.

But at fact this key is exist. I also try other key, get the same error.

需要添加下面的权限 Allow any-user to use keys in compartment test where request.principal.type=’certificateauthority’Row with I.D. Allow any-user to use keys in compartment appluck where request.principal.type=’certificateauthority’
Allow any-user to manage objects in compartment test where request.principal.type=’certificateauthority’

创建CERTIFICATE

报错:The validity period 7818981163 exceeds the maximum validity period allowed 7776000000.

可以把上面的not valid after时间改小点就可以了

oci certs-mgmt certificate list  –compartment-id xxxx

要加–compartment-id 参数

申请免费证书

OCI上的证书是免费的,但浏览器会有安全提示,可以从下面这些地方去申请免费证书

Letsencrypt

https://developer.aliyun.com/article/1246358
https://github.com/acmesh-official/acme.sh/wiki/%E8%AF%B4%E6%98%8E

acme.sh 实现了 acme 协议, 可以从 letsencrypt 生成免费的证书.

在zerossl官网 申请ssl证书 流程

https://www.jianshu.com/p/0b4d2ebb75a5

证书更新

设置证书文件所在位置的环境变量

export cert_chain_pem=$(cat /home/opc/archive/detailswin.com/chain1.pem)

export certificate_pem=$(cat /home/opc/archive/detailswin.com/cert1.pem)

export private_key_pem=$(cat /home/opc/archive/detailswin.com/privkey1.pem)

export certificate_id=ocid1.certificate.oc1.ap-singapore-1.amaaaaaadoxkhmqa2br6konryn6yjljijb3h7gaddvlasoxbrrq44hpeb5zq

然后执行下面的命令

oci certs-mgmt certificate update-certificate-by-importing-config-details –cert-chain-pem “$cert_chain_pem” –certificate-id $certificate_id –certificate-pem “$certificate_pem” –private-key-pem “$private_key_pem”

如果报401 权限错误,{‘target_service’: ‘certificates_management’, ‘status’: 401, ‘code’: ‘NotAuthenticated’, ‘opc-request-id’: ‘567469A2007648A3B1E6C96E8F52F10A/825791AA1BF65772FED4E39D05A5A137/33B2D567D28374B21FB9C535AF61E0E1’, ‘message’: ‘The required information to complete authentication was not provided or was incorrect.’,

检查一下config中的user,tenancy, region的信息要和OCI console上看到的一致。

上传证书到LB

oci lb certificate create –certificate-name waf.mangaestoon.com –load-balancer-id ocid1.loadbalancer.oc1.phx.aaaaaaaaeving2263znplmjz7uzelnhom5hai35ey5awbhbynz3vvhry52ka –public-certificate-file /etc/nginx/pem/waf.mangaestoon.com.cer –private-key-file /etc/nginx/pem/waf.mangaestoon.com.key –debug

Print Friendly, PDF & Email

Leave a Reply

Your email address will not be published. Required fields are marked *