k8s-18-api-server更换证书-白红宇

k8s-18-api-server更换证书

阅读量：6416 次

发布时间：2019-06-23

本文共 6737 字，大约阅读时间需要 22 分钟。

1 目前证书是信任三个master ip地址在加一个

[root@k8s-master seversslbak]# cfssl-certinfo -cert server.pem {  "subject": {    "common_name": "kubernetes",    "country": "CN",    "organization": "k8s",    "organizational_unit": "System",    "locality": "BeiJing",    "province": "BeiJing",    "names": [      "CN",      "BeiJing",      "BeiJing",      "k8s",      "System",      "kubernetes"    ]  },  "issuer": {    "common_name": "kubernetes",    "country": "CN",    "organization": "k8s",    "organizational_unit": "System",    "locality": "Beijing",    "province": "Beijing",    "names": [      "CN",      "Beijing",      "Beijing",      "k8s",      "System",      "kubernetes"    ]  },  "serial_number": "591829917047207358591893406474948745207699905189",  "sans": [    "kubernetes",    "kubernetes.default",    "kubernetes.default.svc",    "kubernetes.default.svc.cluster",    "kubernetes.default.svc.cluster.local",    "127.0.0.1",    "192.168.56.10",    "192.168.56.11",    "192.168.56.12",    "10.10.10.1"  ],  "not_before": "2018-10-02T02:52:00Z",  "not_after": "2028-09-29T02:52:00Z",  "sigalg": "SHA256WithRSA",  "authority_key_id": "93:D5:D3:91:42:2C:22:45:E:EE:12:82:F8:78:9C:BA:D0:5:DE:43",  "subject_key_id": "9E:76:4C:F7:24:11:E5:86:24:1:C2:DC:2D:F5:AA:3B:F0:B3:21:A5",  "pem": "-----BEGIN CERTIFICATE-----\nMIIEhTCCA22gAwIBAgIUZ6qSQldvDDFbFZ0mWhR30hU2mqUwDQYJKoZIhvcNAQEL\nBQAwZTELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaWppbmcxEDAOBgNVBAcTB0Jl\naWppbmcxDDAKBgNVBAoTA2s4czEPMA0GA1UECxMGU3lzdGVtMRMwEQYDVQQDEwpr\ndWJlcm5ldGVzMB4XDTE4MTAwMjAyNTIwMFoXDTI4MDkyOTAyNTIwMFowZTELMAkG\nA1UEBhMCQ04xEDAOBgNVBAgTB0JlaUppbmcxEDAOBgNVBAcTB0JlaUppbmcxDDAK\nBgNVBAoTA2s4czEPMA0GA1UECxMGU3lzdGVtMRMwEQYDVQQDEwprdWJlcm5ldGVz\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyk0D+RlWUot1909wHhxs\n8gHESHGwjW85OyfN6qMwBeZbrLy9OJGWWADvxhLd5JXga+3ZMmyp979+RzDvTaoE\nFpOAaKzQBipWJguU2kP9PO/AGKePD7+sAHK8D09A6z9T7rFqr/ymALkDgtLG9xiG\nzLhJrdmZNjvGPB3RLFHtXt6RXR6vnXJ9JpQ90b1hmXsp8tRv0YNfaGA3KhOSNB6e\nXC0oTXNS/h4G1l0ee9x0BVYlwDCwL/7lSVF0E1lAcXzU8zqy4qY2815CHcHaTtxw\nMne6jSwh6DMfIdVuZSiLumgeLIRJZntRFwd8GqMmDGjCwomH+XutasJ8OGaApDh6\nxQIDAQABo4IBKzCCAScwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUF\nBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSedkz3JBHlhiQB\nwtwt9ao78LMhpTAfBgNVHSMEGDAWgBST1dORQiwiRQ7uEoL4eJy60AXeQzCBpwYD\nVR0RBIGfMIGcggprdWJlcm5ldGVzghJrdWJlcm5ldGVzLmRlZmF1bHSCFmt1YmVy\nbmV0ZXMuZGVmYXVsdC5zdmOCHmt1YmVybmV0ZXMuZGVmYXVsdC5zdmMuY2x1c3Rl\ncoIka3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FshwR/AAABhwTA\nqDgKhwTAqDgLhwTAqDgMhwQKCgoBMA0GCSqGSIb3DQEBCwUAA4IBAQCTT5vj/DYR\niPwJ3eXd48fK6GDtwtRlfs1XlDxjVRx77OOiw3L7f3D3+fExC5Zq9TffJ7r32NRp\n+FICkkmguYCmvZ5sohiiunDdVfeKDWxYT4LlqF1YX1Ta0D6bVyRdvr9lImaty+hS\nkyH3BFVocVSn2vdtGUSy2X8LRrEXNvdcRrrLihVWlZONCrAUV2pnyU8LWHhDEZak\n5H3aIlz7Eqr4/lcXytXjk1DiTGAi67fwLy4yiRvrPnpsYlp/Ee9gudlkysO7ArIi\nNBKK42nYU1pGXqIeOarrCH1WWDGMy2JHp/okSEVlktoy2gwGi7GembAf68x5viUM\ngoV9PpKjMgvD\n-----END CERTIFICATE-----\n"}

{    "CN": "kubernetes",    "hosts": [      "127.0.0.1",      "192.168.56.10",      "192.168.56.11",      "192.168.56.12",      "192.168.56.13",      "10.10.10.1",      "kubernetes",      "kubernetes.default",      "kubernetes.default.svc",      "kubernetes.default.svc.cluster",      "kubernetes.default.svc.cluster.local"    ],    "key": {        "algo": "rsa",        "size": 2048    },    "names": [        {            "C": "CN",            "L": "BeiJing",            "ST": "BeiJing",            "O": "k8s",            "OU": "System"        }    ]}

3.基于原来的ca证书重新生成server.perm server-key.pem

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server

cp server.pem server-key.pem /opt/kubernetes/ssl/

systemctl restart kube-apiserver

[root@k8s-master ssl]# cfssl-certinfo  -cert  server.pem {  "subject": {    "common_name": "kubernetes",    "country": "CN",    "organization": "k8s",    "organizational_unit": "System",    "locality": "BeiJing",    "province": "BeiJing",    "names": [      "CN",      "BeiJing",      "BeiJing",      "k8s",      "System",      "kubernetes"    ]  },  "issuer": {    "common_name": "kubernetes",    "country": "CN",    "organization": "k8s",    "organizational_unit": "System",    "locality": "Beijing",    "province": "Beijing",    "names": [      "CN",      "Beijing",      "Beijing",      "k8s",      "System",      "kubernetes"    ]  },  "serial_number": "508184769729075093485943956732747441633339345736",  "sans": [    "kubernetes",    "kubernetes.default",    "kubernetes.default.svc",    "kubernetes.default.svc.cluster",    "kubernetes.default.svc.cluster.local",    "127.0.0.1",    "192.168.56.10",    "192.168.56.11",    "192.168.56.12",    "192.168.56.13",    "10.10.10.1"  ],  "not_before": "2018-10-27T03:11:00Z",  "not_after": "2028-10-24T03:11:00Z",  "sigalg": "SHA256WithRSA",  "authority_key_id": "93:D5:D3:91:42:2C:22:45:E:EE:12:82:F8:78:9C:BA:D0:5:DE:43",  "subject_key_id": "7B:6E:13:B3:7A:31:84:E5:A4:9:87:64:8C:7D:EE:1:71:C2:EE:66",  "pem": "-----BEGIN CERTIFICATE-----\nMIIEizCCA3OgAwIBAgIUWQPLDvnjyQgDePhdAwjioWv3i0gwDQYJKoZIhvcNAQEL\nBQAwZTELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaWppbmcxEDAOBgNVBAcTB0Jl\naWppbmcxDDAKBgNVBAoTA2s4czEPMA0GA1UECxMGU3lzdGVtMRMwEQYDVQQDEwpr\ndWJlcm5ldGVzMB4XDTE4MTAyNzAzMTEwMFoXDTI4MTAyNDAzMTEwMFowZTELMAkG\nA1UEBhMCQ04xEDAOBgNVBAgTB0JlaUppbmcxEDAOBgNVBAcTB0JlaUppbmcxDDAK\nBgNVBAoTA2s4czEPMA0GA1UECxMGU3lzdGVtMRMwEQYDVQQDEwprdWJlcm5ldGVz\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzCpmf7s4P25vls5mPynl\nnxbdA3c8SrW54ZVPePk2LOJIFZl5CfqNoB5O4bNSgEVo8uTTLDDMab+H9XhqD2DO\ndpNrzfQ3oJbx5olodR8rph3BDP6RKSB8Mj9T6pbgcNXYWMvLrTbJahXfWzrxG/IN\nRaqgoUmuBomGN7xLbJpmEREmMzB4Q3/Cr0YZqkOgUiwgzuOwdfObzQ/JzWuZoQNw\n374QhaIqpVaH/ZIGHgL3XKblzuv3zhtLV9Vmi0/ST6+1m+yVS6fkvdiOHG2bXYFM\ng7seGd8ZU6dUV6sxMciAChsbWWPCHcYiqGO1C6Qa6ACJhlukDFhMzPvleI9ithuT\nLQIDAQABo4IBMTCCAS0wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUF\nBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBR7bhOzejGE5aQJ\nh2SMfe4BccLuZjAfBgNVHSMEGDAWgBST1dORQiwiRQ7uEoL4eJy60AXeQzCBrQYD\nVR0RBIGlMIGiggprdWJlcm5ldGVzghJrdWJlcm5ldGVzLmRlZmF1bHSCFmt1YmVy\nbmV0ZXMuZGVmYXVsdC5zdmOCHmt1YmVybmV0ZXMuZGVmYXVsdC5zdmMuY2x1c3Rl\ncoIka3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FshwR/AAABhwTA\nqDgKhwTAqDgLhwTAqDgMhwTAqDgNhwQKCgoBMA0GCSqGSIb3DQEBCwUAA4IBAQA/\n3cMaOSScJL7g8O0iHhS0TFJ6qy1/RKYcq0Sr0cLAwP4z4OzMwdO7NF0U51VyjOLU\n81b3WCh1PHl7TV47ja2lP5fIe5+WCfnSRUMo66yRjItVFOqxQUzdD3v3YxaBuKou\npNbPlk8rUMs6a+6kUiN82QZjlAJZXWIdnxm+IkFHKLS/GCk9TemqhlMogejmYgUI\njBuZL3ZnkWX2QFMW13xEEs0pR+oxPsGaXu16UsRjhewVgZNNo5lHjn8Llgs2Nubk\nKzlVDm6NfZcac+UxOrfOaaHwXb6wSXYN/wIwrcCyjuy8Hq7aDV0glCf/WmMcJiGT\nStVwi1DLBdWkQNCcmkFN\n-----END CERTIFICATE-----\n"}[root@k8s-master ssl]#

转载于:https://blog.51cto.com/wsxxsl/2309663

你可能感兴趣的文章

[hexo]如何更换主题、删除文章

查看>>

cinder-volume报错vmdk2 is reporting problems, not sending heartbeat. Service will appear "down".