我正在尝试使用我的私人 PKI 安装 Consul。 看来 consul 不喜欢我的服务器证书,尽管它与 Tomcat、LDAP 服务器等配合得很好。
这是相关的
consul
配置:
"tls": {
"defaults": {
"key_file": "/tmp/consul.hello.com.plain-key",
"cert_file": "/tmp/consul.hello.com.crt",
"ca_file": "/tmp/ca.crt",
"verify_incoming": true,
"verify_outgoing": true,
"verify_server_hostname": false
}
}
这是我得到的错误:
agent.server.rpc: failed to read byte: conn=from=127.0.0.1:53133 error="tls: failed to verify certificate: x509: certificate specifies an incompatible key usage"
不幸的是,日志中没有任何关于真正原因的信息。
CA证书:
$ openssl x509 -text -noout -in /tmp/ca.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
37:9b:62:b5:e2:83:b2:cf:31:27:16:60:83:76:1a:a6:12:56:20:9b
Signature Algorithm: ecdsa-with-SHA256
Issuer: CN = hello.com
Validity
Not Before: Feb 10 00:00:38 2024 GMT
Not After : Feb 7 00:00:38 2034 GMT
Subject: CN = hello.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:f0:1e:cf:a6:1b:48:55:de:34:a9:4a:80:c5:8b:
2c:b5:a0:be:04:50:e8:0d:71:fa:c8:c6:54:9b:3d:
06:9a:4d:11:96:10:db:6d:ac:e5:05:15:fd:4e:83:
11:ae:07:2b:69:43:ee:b4:a7:3a:87:47:76:cb:6a:
bc:9c:86:ae:2c:4a:fa:39:9d:3b:ba:1f:59:11:44:
49:84:30:6e:f6:d2:d9:94:6b:89:3c:c8:0c:2b:c4:
36:b4:4b:8f:4c:01:9a
ASN1 OID: secp384r1
NIST CURVE: P-384
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
X509v3 Subject Key Identifier:
DB:6E:71:3B:A6:F1:69:3E:A5:31:EB:39:E9:BF:F6:8C:C7:D2:FD:81
X509v3 Authority Key Identifier:
keyid:DB:6E:71:3B:A6:F1:69:3E:A5:31:EB:39:E9:BF:F6:8C:C7:D2:FD:81
DirName:/CN=hello.com
serial:37:9B:62:B5:E2:83:B2:CF:31:27:16:60:83:76:1A:A6:12:56:20:9B
X509v3 Key Usage:
Certificate Sign, CRL Sign
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
30:64:02:30:24:97:21:c9:2b:55:a9:6c:b6:23:55:72:3d:44:
80:21:a8:8a:96:1c:fd:a3:d2:ce:a6:7d:14:4a:49:b8:45:85:
29:e4:80:24:30:c1:67:ee:f3:13:26:36:e6:2f:db:28:02:30:
32:fb:05:b5:b5:75:71:4e:2b:82:0b:5e:6c:2d:58:b9:e2:f1:
13:0a:bc:ec:da:9e:cd:26:79:53:29:27:4b:0d:af:81:d8:9a:
67:c1:4e:0d:5b:13:2e:4a:a8:74:9b:ae
服务器证书:
$ openssl x509 -text -noout -in /tmp/consul.hello.com.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ea:92:1f:ba:8c:f8:d0:78:7d:fb:6c:72:93:34:74:ff
Signature Algorithm: ecdsa-with-SHA256
Issuer: CN = hello.com
Validity
Not Before: Feb 10 00:00:40 2024 GMT
Not After : May 15 00:00:40 2026 GMT
Subject: CN = consul.hello.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:71:a6:af:d3:70:7c:58:92:ba:e8:2f:04:25:51:
34:8a:18:ab:f5:85:11:15:7e:ef:20:78:17:95:64:
71:eb:ed:83:86:b6:8a:0b:23:cf:4d:33:c4:fb:2b:
56:df:38:1d:ec:8b:22:c0:bf:22:32:aa:fc:d0:88:
a4:f4:ff:40:4c:b8:2b:44:74:31:31:8a:0a:43:58:
8a:43:28:66:67:1d:5f:b1:e6:ed:87:18:76:d3:e4:
65:13:c5:d3:06:17:48
ASN1 OID: secp384r1
NIST CURVE: P-384
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
5F:34:D8:0C:09:1D:04:B9:94:73:FA:51:F6:2E:8E:C2:99:D9:0B:8E
X509v3 Authority Key Identifier:
keyid:DB:6E:71:3B:A6:F1:69:3E:A5:31:EB:39:E9:BF:F6:8C:C7:D2:FD:81
DirName:/CN=hello.com
serial:37:9B:62:B5:E2:83:B2:CF:31:27:16:60:83:76:1A:A6:12:56:20:9B
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
DNS:consul.hello.com
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
30:65:02:31:00:ea:65:13:52:b5:72:7d:bc:bd:27:b8:ce:92:
94:73:2e:62:31:c6:cf:93:34:b6:e5:74:17:58:2c:24:c4:95:
10:82:46:30:d9:7b:a8:50:b0:84:64:1c:59:63:7f:69:48:02:
30:3a:b2:2a:64:73:b0:15:52:d2:f8:58:95:c7:95:72:2f:96:
a9:6d:ed:a6:e3:12:bc:bf:86:5c:87:4c:5a:e3:95:e3:80:6f:
c0:38:e9:7d:e2:27:09:50:3b:d9:f9:40:2e
键:
$ cat /tmp/consul.hello.com.plain-key
-----BEGIN PRIVATE KEY-----
MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDCf0XlOy7bCWtQRHpQ9
e8j/WMNtIgZsHop97AnXjWJg4UQZugiEKyhw0YGQGJ/cCe2hZANiAARxpq/TcHxY
krroLwQlUTSKGKv1hREVfu8geBeVZHHr7YOGtooLI89NM8T7K1bfOB3siyLAvyIy
qvzQiKT0/0BMuCtEdDExigpDWIpDKGZnHV+x5u2HGHbT5GUTxdMGF0g=
-----END PRIVATE KEY-----
$ echo $(主机名-f)
consul.hello.com
这是完整的错误日志:
==> Starting Consul agent...
Version: '1.17.2'
Build Date: '2024-01-22 16:55:18 +0000 UTC'
Node ID: '60fd623e-401b-6163-a635-f06e9bc0e833'
Node name: 'agent-one'
Datacenter: 'dc1' (Segment: '<all>')
Server: true (Bootstrap: true)
Client Addr: [0.0.0.0] (HTTP: -1, HTTPS: 8501, gRPC: -1, gRPC-TLS: 8503, DNS: 8600)
Cluster Addr: 127.0.0.1 (LAN: 8301, WAN: 8302)
Gossip Encryption: true
Auto-Encrypt-TLS: false
ACL Enabled: false
Reporting Enabled: false
ACL Default Policy: allow
HTTPS TLS: Verify Incoming: true, Verify Outgoing: true, Min Version: TLSv1_2
gRPC TLS: Verify Incoming: true, Min Version: TLSv1_2
Internal RPC TLS: Verify Incoming: true, Verify Outgoing: true (Verify Hostname: false), Min Version: TLSv1_2
==> Log data will now stream in as it occurs:
2024-02-10T00:46:23.981Z [WARN] agent: bootstrap = true: do not enable unless necessary
2024-02-10T00:46:24.047Z [DEBUG] agent.grpc.balancer: switching server: target=consul://dc1.60fd623e-401b-6163-a635-f06e9bc0e833/server.dc1 from=<none> to=<none>
2024-02-10T00:46:24.063Z [WARN] agent.auto_config: bootstrap = true: do not enable unless necessary
2024-02-10T00:46:24.106Z [INFO] agent.server.raft: initial configuration: index=1 servers="[{Suffrage:Voter ID:60fd623e-401b-6163-a635-f06e9bc0e833 Address:127.0.0.1:8300}]"
2024-02-10T00:46:24.106Z [INFO] agent.server.raft: entering follower state: follower="Node at 127.0.0.1:8300 [Follower]" leader-address= leader-id=
2024-02-10T00:46:24.108Z [INFO] agent.server.serf.wan: serf: EventMemberJoin: agent-one.dc1 127.0.0.1
2024-02-10T00:46:24.109Z [INFO] agent.server.serf.lan: serf: EventMemberJoin: agent-one 127.0.0.1
2024-02-10T00:46:24.109Z [INFO] agent.router: Initializing LAN area manager
2024-02-10T00:46:24.110Z [DEBUG] agent.grpc.balancer: switching server: target=consul://dc1.60fd623e-401b-6163-a635-f06e9bc0e833/server.dc1 from=<none> to=dc1-127.0.0.1:8300
2024-02-10T00:46:24.110Z [WARN] agent.server.serf.wan: serf: Failed to re-join any previously known node
2024-02-10T00:46:24.110Z [WARN] agent.server.serf.lan: serf: Failed to re-join any previously known node
2024-02-10T00:46:24.111Z [INFO] agent.server: Adding LAN server: server="agent-one (Addr: tcp/127.0.0.1:8300) (DC: dc1)"
2024-02-10T00:46:24.112Z [INFO] agent.server: Handled event for server in area: event=member-join server=agent-one.dc1 area=wan
2024-02-10T00:46:24.113Z [INFO] agent.server.autopilot: reconciliation now disabled
2024-02-10T00:46:24.162Z [ERROR] agent.server.rpc: failed to read byte: conn=from=127.0.0.1:37471 error="tls: failed to verify certificate: x509: certificate specifies an incompatible key usage"
2024-02-10T00:46:24.162Z [WARN] agent: [core][Channel #1 SubChannel #5] grpc: addrConn.createTransport failed to connect to {Addr: "dc1-127.0.0.1:8300", ServerName: "agent-one", }. Err: connection error: desc = "error reading server preface: remote error: tls: bad certificate"
2024-02-10T00:46:24.163Z [ERROR] agent.server.rpc: failed to read byte: conn=from=127.0.0.1:44687 error="tls: failed to verify certificate: x509: certificate specifies an incompatible key usage"
2024-02-10T00:46:24.163Z [ERROR] agent: yamux: Failed to read header: remote error: tls: bad certificate
2024-02-10T00:46:24.163Z [WARN] agent: error getting server health from server: server=agent-one error="rpc error making call: EOF"
2024-02-10T00:46:25.114Z [WARN] agent: error getting server health from server: server=agent-one error="context deadline exceeded"
2024-02-10T00:46:25.114Z [ERROR] agent.server.autopilot: Error when computing next state: error="context deadline exceeded"
2024-02-10T00:46:25.114Z [DEBUG] agent.server.autopilot: autopilot is now running
2024-02-10T00:46:25.114Z [DEBUG] agent.server.autopilot: state update routine is now running
2024-02-10T00:46:25.114Z [INFO] agent.server.cert-manager: initialized server certificate management
2024-02-10T00:46:25.114Z [DEBUG] agent.hcp_manager: HCP manager starting
2024-02-10T00:46:25.115Z [INFO] agent: Started DNS server: address=0.0.0.0:8600 network=udp
2024-02-10T00:46:25.115Z [INFO] agent: Started DNS server: address=0.0.0.0:8600 network=tcp
2024-02-10T00:46:25.117Z [INFO] agent.http: Registered resource endpoint: endpoint=/mesh/v2beta1/tcproute/
2024-02-10T00:46:25.117Z [INFO] agent.http: Registered resource endpoint: endpoint=/mesh/v2beta1/destinationpolicy/
2024-02-10T00:46:25.117Z [INFO] agent.http: Registered resource endpoint: endpoint=/catalog/v2beta1/healthstatus/
2024-02-10T00:46:25.117Z [INFO] agent.http: Registered resource endpoint: endpoint=/mesh/v2beta1/proxystatetemplate/
2024-02-10T00:46:25.117Z [INFO] agent.http: Registered resource endpoint: endpoint=/demo/v1/album/
2024-02-10T00:46:25.118Z [INFO] agent.http: Registered resource endpoint: endpoint=/demo/v2/album/
2024-02-10T00:46:25.118Z [INFO] agent.http: Registered resource endpoint: endpoint=/catalog/v2beta1/failoverpolicy/
2024-02-10T00:46:25.118Z [INFO] agent.http: Registered resource endpoint: endpoint=/auth/v2beta1/workloadidentity/
2024-02-10T00:46:25.118Z [INFO] agent.http: Registered resource endpoint: endpoint=/demo/v1/executive/
2024-02-10T00:46:25.118Z [INFO] agent.http: Registered resource endpoint: endpoint=/mesh/v2beta1/proxyconfiguration/
2024-02-10T00:46:25.118Z [INFO] agent.http: Registered resource endpoint: endpoint=/mesh/v2beta1/computedproxyconfiguration/
2024-02-10T00:46:25.118Z [INFO] agent.http: Registered resource endpoint: endpoint=/catalog/v2beta1/service/
2024-02-10T00:46:25.118Z [INFO] agent.http: Registered resource endpoint: endpoint=/auth/v2beta1/trafficpermissions/
2024-02-10T00:46:25.118Z [INFO] agent.http: Registered resource endpoint: endpoint=/demo/v1/artist/
2024-02-10T00:46:25.118Z [INFO] agent.http: Registered resource endpoint: endpoint=/mesh/v2beta1/httproute/
2024-02-10T00:46:25.118Z [INFO] agent.http: Registered resource endpoint: endpoint=/mesh/v2beta1/grpcroute/
2024-02-10T00:46:25.118Z [INFO] agent.http: Registered resource endpoint: endpoint=/demo/v2/artist/
2024-02-10T00:46:25.118Z [INFO] agent.http: Registered resource endpoint: endpoint=/tenancy/v1alpha1/namespace/
2024-02-10T00:46:25.118Z [INFO] agent.http: Registered resource endpoint: endpoint=/demo/v1/concept/
2024-02-10T00:46:25.118Z [INFO] agent.http: Registered resource endpoint: endpoint=/mesh/v2beta1/destinations/
2024-02-10T00:46:25.118Z [INFO] agent.http: Registered resource endpoint: endpoint=/catalog/v2beta1/serviceendpoints/
2024-02-10T00:46:25.118Z [INFO] agent.http: Registered resource endpoint: endpoint=/internal/v1/tombstone/
2024-02-10T00:46:25.118Z [INFO] agent.http: Registered resource endpoint: endpoint=/catalog/v2beta1/workload/
2024-02-10T00:46:25.118Z [INFO] agent.http: Registered resource endpoint: endpoint=/catalog/v2beta1/node/
2024-02-10T00:46:25.118Z [INFO] agent.http: Registered resource endpoint: endpoint=/auth/v2beta1/computedtrafficpermissions/
2024-02-10T00:46:25.118Z [INFO] agent.http: Registered resource endpoint: endpoint=/mesh/v2beta1/computedexplicitdestinations/
2024-02-10T00:46:25.118Z [INFO] agent.http: Registered resource endpoint: endpoint=/mesh/v2beta1/computedroutes/
2024-02-10T00:46:25.118Z [INFO] agent.http: Registered resource endpoint: endpoint=/demo/v1/recordlabel/
2024-02-10T00:46:25.128Z [INFO] agent: Starting server: address=[::]:8501 network=tcp protocol=https
2024-02-10T00:46:25.144Z [INFO] agent: Started gRPC listeners: port_name=grpc_tls address=[::]:8503 network=tcp
2024-02-10T00:46:25.146Z [INFO] agent: started state syncer
2024-02-10T00:46:25.146Z [INFO] agent: Consul agent running!
2024-02-10T00:46:26.115Z [DEBUG] agent.server.cert-manager: CA has not finished initializing
2024-02-10T00:46:27.115Z [DEBUG] agent.server.cert-manager: CA has not finished initializing
2024-02-10T00:46:27.182Z [ERROR] agent.server.rpc: failed to read byte: conn=from=127.0.0.1:57581 error="tls: failed to verify certificate: x509: certificate specifies an incompatible key usage"
2024-02-10T00:46:27.182Z [ERROR] agent: yamux: Failed to read header: remote error: tls: bad certificate
2024-02-10T00:46:27.182Z [WARN] agent: error getting server health from server: server=agent-one error="rpc error making call: EOF"
2024-02-10T00:46:28.116Z [DEBUG] agent.server.cert-manager: CA has not finished initializing
2024-02-10T00:46:28.116Z [WARN] agent: error getting server health from server: server=agent-one error="context deadline exceeded"
2024-02-10T00:46:29.116Z [DEBUG] agent.server.cert-manager: CA has not finished initializing
2024-02-10T00:46:29.179Z [ERROR] agent.server.rpc: failed to read byte: conn=from=127.0.0.1:49559 error="tls: failed to verify certificate: x509: certificate specifies an incompatible key usage"
2024-02-10T00:46:29.179Z [ERROR] agent: yamux: Failed to read header: remote error: tls: bad certificate
2024-02-10T00:46:29.180Z [WARN] agent: error getting server health from server: server=agent-one error="rpc error making call: EOF"
2024-02-10T00:46:30.116Z [WARN] agent: error getting server health from server: server=agent-one error="context deadline exceeded"
2024-02-10T00:46:30.117Z [DEBUG] agent.server.cert-manager: CA has not finished initializing
2024-02-10T00:46:30.915Z [WARN] agent.server.raft: heartbeat timeout reached, starting election: last-leader-addr= last-leader-id=
2024-02-10T00:46:30.915Z [INFO] agent.server.raft: entering candidate state: node="Node at 127.0.0.1:8300 [Candidate]" term=3
2024-02-10T00:46:30.917Z [DEBUG] agent.server.raft: voting for self: term=3 id=60fd623e-401b-6163-a635-f06e9bc0e833
2024-02-10T00:46:30.920Z [DEBUG] agent.server.raft: calculated votes needed: needed=1 term=3
2024-02-10T00:46:30.920Z [DEBUG] agent.server.raft: vote granted: from=60fd623e-401b-6163-a635-f06e9bc0e833 term=3 tally=1
2024-02-10T00:46:30.920Z [INFO] agent.server.raft: election won: term=3 tally=1
2024-02-10T00:46:30.920Z [INFO] agent.server.raft: entering leader state: leader="Node at 127.0.0.1:8300 [Leader]"
2024-02-10T00:46:30.920Z [DEBUG] agent.hcp_manager: HCP triggering status update
2024-02-10T00:46:30.920Z [DEBUG] agent.controller-runtime: controller running: managed_type=internal.v1.Tombstone
2024-02-10T00:46:30.920Z [INFO] agent.server: cluster leadership acquired
2024-02-10T00:46:30.920Z [INFO] agent.server: New leader elected: payload=agent-one
2024-02-10T00:46:30.927Z [DEBUG] agent.server.xds_capacity_controller: updating drain rate limit: rate_limit=1
2024-02-10T00:46:30.928Z [INFO] agent.server.autopilot: reconciliation now enabled
2024-02-10T00:46:30.928Z [INFO] agent.leader: started routine: routine="federation state anti-entropy"
2024-02-10T00:46:30.928Z [INFO] agent.leader: started routine: routine="federation state pruning"
2024-02-10T00:46:30.928Z [INFO] agent.leader: started routine: routine="streaming peering resources"
2024-02-10T00:46:30.928Z [INFO] agent.leader: started routine: routine="metrics for streaming peering resources"
2024-02-10T00:46:30.928Z [INFO] agent.leader: started routine: routine="peering deferred deletion"
2024-02-10T00:46:30.928Z [INFO] connect.ca: initialized primary datacenter CA from existing CARoot with provider: provider=consul
2024-02-10T00:46:30.928Z [INFO] agent.leader: started routine: routine="intermediate cert renew watch"
2024-02-10T00:46:30.928Z [INFO] agent.leader: started routine: routine="CA root pruning"
2024-02-10T00:46:30.928Z [INFO] agent.leader: started routine: routine="CA root expiration metric"
2024-02-10T00:46:30.928Z [INFO] agent.leader: started routine: routine="CA signing expiration metric"
2024-02-10T00:46:30.928Z [INFO] agent.leader: started routine: routine="virtual IP version check"
2024-02-10T00:46:30.928Z [INFO] agent.leader: started routine: routine="config entry controllers"
2024-02-10T00:46:30.928Z [DEBUG] agent.server: successfully established leadership: duration="562.613µs"
2024-02-10T00:46:30.928Z [INFO] agent.leader: stopping routine: routine="virtual IP version check"
2024-02-10T00:46:30.928Z [INFO] agent.leader: stopped routine: routine="virtual IP version check"
2024-02-10T00:46:31.118Z [DEBUG] agent.server.cert-manager: CA config watch fired - updating auto TLS server name: name=server.dc1.peering.80d89f87-45b5-e936-4908-735fd86f8fd0.consul
2024-02-10T00:46:31.148Z [ERROR] agent.server.rpc: failed to read byte: conn=from=127.0.0.1:44077 error="tls: failed to verify certificate: x509: certificate specifies an incompatible key usage"
2024-02-10T00:46:31.151Z [ERROR] agent: yamux: Failed to read header: remote error: tls: bad certificate
2024-02-10T00:46:31.151Z [ERROR] agent: yamux: Failed to write header: write tcp 127.0.0.1:44077->127.0.0.1:8300: write: broken pipe
2024-02-10T00:46:31.189Z [ERROR] agent.server.rpc: failed to read byte: conn=from=127.0.0.1:53683 error="tls: failed to verify certificate: x509: certificate specifies an incompatible key usage"
2024-02-10T00:46:31.189Z [ERROR] agent: yamux: Failed to read header: remote error: tls: bad certificate
2024-02-10T00:46:31.189Z [WARN] agent: error getting server health from server: server=agent-one error="rpc error making call: EOF"
2024-02-10T00:46:32.115Z [WARN] agent: error getting server health from server: server=agent-one error="context deadline exceeded"
2024-02-10T00:46:33.178Z [ERROR] agent.server.rpc: failed to read byte: conn=from=127.0.0.1:46873 error="tls: failed to verify certificate: x509: certificate specifies an incompatible key usage"
2024-02-10T00:46:33.178Z [ERROR] agent: yamux: Failed to read header: remote error: tls: bad certificate
2024-02-10T00:46:33.178Z [WARN] agent: error getting server health from server: server=agent-one error="rpc error making call: EOF"
2024-02-10T00:46:33.893Z [DEBUG] agent: Skipping remote check since it is managed automatically: check=serfHealth
2024-02-10T00:46:33.897Z [INFO] agent: Synced node info
2024-02-10T00:46:34.115Z [WARN] agent: error getting server health from server: server=agent-one error="context deadline exceeded"
2024-02-10T00:46:34.265Z [DEBUG] agent.server.cert-manager: got cache update event: correlationID=leaf error=<nil>
2024-02-10T00:46:34.265Z [DEBUG] agent.server.cert-manager: leaf certificate watch fired - updating auto TLS certificate: uri=spiffe://80d89f87-45b5-e936-4908-735fd86f8fd0.consul/agent/server/dc/dc1
2024-02-10T00:46:35.144Z [ERROR] agent.server.rpc: failed to read byte: conn=from=127.0.0.1:51601 error="tls: failed to verify certificate: x509: certificate specifies an incompatible key usage"
2024-02-10T00:46:35.146Z [ERROR] agent: yamux: Failed to read header: remote error: tls: bad certificate
2024-02-10T00:46:35.146Z [ERROR] agent: yamux: Failed to write header: write tcp 127.0.0.1:51601->127.0.0.1:8300: write: broken pipe
2024-02-10T00:46:35.179Z [ERROR] agent.server.rpc: failed to read byte: conn=from=127.0.0.1:51953 error="tls: failed to verify certificate: x509: certificate specifies an incompatible key usage"
2024-02-10T00:46:35.179Z [ERROR] agent: yamux: Failed to read header: remote error: tls: bad certificate
2024-02-10T00:46:35.179Z [WARN] agent: error getting server health from server: server=agent-one error="rpc error making call: EOF"
2024-02-10T00:46:36.115Z [WARN] agent: error getting server health from server: server=agent-one error="context deadline exceeded"
2024-02-10T00:46:36.592Z [DEBUG] agent: Skipping remote check since it is managed automatically: check=serfHealth
2024-02-10T00:46:36.592Z [DEBUG] agent: Node info in sync
2024-02-10T00:46:36.592Z [DEBUG] agent: Node info in sync
2024-02-10T00:46:37.151Z [ERROR] agent.server.rpc: failed to read byte: conn=from=127.0.0.1:57325 error="tls: failed to verify certificate: x509: certificate specifies an incompatible key usage"
2024-02-10T00:46:37.155Z [ERROR] agent: yamux: Failed to read header: remote error: tls: bad certificate
2024-02-10T00:46:37.155Z [ERROR] agent: yamux: Failed to write header: write tcp 127.0.0.1:57325->127.0.0.1:8300: write: broken pipe
2024-02-10T00:46:37.193Z [ERROR] agent.server.rpc: failed to read byte: conn=from=127.0.0.1:43383 error="tls: failed to verify certificate: x509: certificate specifies an incompatible key usage"
2024-02-10T00:46:37.193Z [ERROR] agent: yamux: Failed to read header: remote error: tls: bad certificate
2024-02-10T00:46:37.194Z [WARN] agent: error getting server health from server: server=agent-one error="rpc error making call: EOF"
2024-02-10T00:46:38.115Z [WARN] agent: error getting server health from server: server=agent-one error="context deadline exceeded"
2024-02-10T00:46:39.212Z [ERROR] agent.server.rpc: failed to read byte: conn=from=127.0.0.1:34501 error="tls: failed to verify certificate: x509: certificate specifies an incompatible key usage"
2024-02-10T00:46:39.215Z [ERROR] agent: yamux: Failed to write header: write tcp 127.0.0.1:34501->127.0.0.1:8300: write: broken pipe
2024-02-10T00:46:39.215Z [ERROR] agent: yamux: Failed to read header: remote error: tls: bad certificate
2024-02-10T00:46:39.281Z [ERROR] agent.server.rpc: failed to read byte: conn=from=127.0.0.1:53495 error="tls: failed to verify certificate: x509: certificate specifies an incompatible key usage"
2024-02-10T00:46:39.281Z [ERROR] agent: yamux: Failed to read header: remote error: tls: bad certificate
2024-02-10T00:46:39.282Z [WARN] agent: error getting server health from server: server=agent-one error="rpc error making call: EOF"
2024-02-10T00:46:40.122Z [WARN] agent: error getting server health from server: server=agent-one error="context deadline exceeded"
2024-02-10T00:46:41.153Z [ERROR] agent.server.rpc: failed to read byte: conn=from=127.0.0.1:34757 error="tls: failed to verify certificate: x509: certificate specifies an incompatible key usage"
2024-02-10T00:46:41.158Z [ERROR] agent: yamux: Failed to read header: remote error: tls: bad certificate
2024-02-10T00:46:41.158Z [ERROR] agent: yamux: Failed to write header: write tcp 127.0.0.1:34757->127.0.0.1:8300: use of closed network connection
2024-02-10T00:46:41.205Z [ERROR] agent.server.rpc: failed to read byte: conn=from=127.0.0.1:49175 error="tls: failed to verify certificate: x509: certificate specifies an incompatible key usage"
2024-02-10T00:46:41.205Z [ERROR] agent: yamux: Failed to read header: remote error: tls: bad certificate
2024-02-10T00:46:41.205Z [WARN] agent: error getting server health from server: server=agent-one error="rpc error making call: EOF"
2024-02-10T00:46:42.116Z [WARN] agent: error getting server health from server: server=agent-one error="context deadline exceeded"
2024-02-10T00:46:43.147Z [ERROR] agent.server.rpc: failed to read byte: conn=from=127.0.0.1:48423 error="tls: failed to verify certificate: x509: certificate specifies an incompatible key usage"
2024-02-10T00:46:43.149Z [ERROR] agent: yamux: Failed to read header: remote error: tls: bad certificate
2024-02-10T00:46:43.149Z [ERROR] agent: yamux: Failed to write header: write tcp 127.0.0.1:48423->127.0.0.1:8300: use of closed network connection
2024-02-10T00:46:43.190Z [ERROR] agent.server.rpc: failed to read byte: conn=from=127.0.0.1:51819 error="tls: failed to verify certificate: x509: certificate specifies an incompatible key usage"
我猜 Consul 我的
consul.hello.com.crt
文件有问题。
但是这有什么问题吗?
感谢 Hashicorp 论坛,我能够解决这个问题。
Consul
在某些情况下需要证书的 TLS Web Server Authentication
部分下的 TLS Web Client Authentication
和 X509v3 extensions
:
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
我将以下行添加到
easy-rsa
X509 扩展文件中并解决了这个问题:
extendedKeyUsage = serverAuth,clientAuth