-
Notifications
You must be signed in to change notification settings - Fork 1.2k
安全 TLS双向认证
qiang.ou edited this page Jul 6, 2018
·
4 revisions
配置TLS双向认证, v1.2.2版本开始支持
为了确保数据传输及任务节点gocron-node安全, 强烈建议开启
需安装Go语言
$ git clone https://github.com/square/certstrap
$ cd certstrap
$ ./build密码留空
$ bin/certstrap init --common-name "Root CA"
Created out/Root_CA.key
Created out/Root_CA.crt
Created out/Root_CA.crl$ # 172.16.10.128为gocron-node服务器IP,需与gocron后台任务节点中配置的IP相同
$ bin/certstrap request-cert --ip 172.16.10.128
Created out/172.16.10.128.key
Created out/172.16.10.128.csr
$ certstrap sign --CA "Root CA" --years 10 172.16.10.128
Created out/172.16.10.128.crt from out/172.16.10.128.csr signed by out/Root_CA.key$ bin/certstrap request-cert --ip 127.0.0.1
Created out/127.0.0.1.key
Created out/127.0.0.1.csr
$ bin/certstrap sign --CA "Root CA" --years 10 127.0.0.1
Created out/127.0.0.1.crt from out/127.0.0.1.csr signed by out/Root_CA.key$ ll
391190 -r--r--r-- 1 root root 1521 9月 7 22:09 127.0.0.1.crt * 客户端gocron证书
391188 -r--r--r-- 1 root root 936 9月 7 22:09 127.0.0.1.csr
391189 -r--r----- 1 root root 1679 9月 7 22:09 127.0.0.1.key * 客户端gocron私钥
391182 -r--r--r-- 1 root root 1525 9月 7 22:04 172.16.10.128.crt * 服务端gocron-node证书
391148 -r--r--r-- 1 root root 944 9月 7 21:57 172.16.10.128.csr
391181 -r--r----- 1 root root 1679 9月 7 21:57 172.16.10.128.key * 服务端gocron-node私钥
391147 -r--r--r-- 1 root root 922 9月 7 21:55 Root_CA.crl
391143 -r--r--r-- 1 root root 1757 9月 7 21:55 Root_CA.crt * CA证书
391144 -r--r----- 1 root root 3243 9月 7 21:55 Root_CA.key Root_CA.crt
172.16.10.128.key
172.16.10.128.crt
上面3个文件文件拷贝到gocron-node服务器
修改私钥172.16.10.128.key权限,只能被运行gocron-node的用户读取
chmod 600 172.16.10.128.key
启动gocron-node
./gocron-node -enable-tls -ca-file Root_CA.crt -cert-file 172.16.10.128.crt -key-file 172.16.10.128.keyRoot_CA.crt
127.0.0.1.crt
127.0.0.1.key
上面3个文件拷贝到gocron服务器
修改私钥127.0.0.1.key权限,只能被运行gocron的用户读取
chmod 600 127.0.0.1.key 配置文件conf/app.ini中添加证书路径
enable_tls = true
ca_file = /path/to/Root_CA.crt
cert_file = /path/to/127.0.0.1.crt
key_file = /path/to/127.0.0.1.key重新启动gocron