次のコマンドを使用してSSL証明書を生成しました。
C=PL
ST=Mazovia
L=Warsaw
O="PHP-HTTP"
CN="192.168.56.10"
openssl req -out ca.pem -new -x509 -subj "/C=$C/ST=$ST/L=$L/O=$O/CN=socket-server" -passout pass:password
openssl genrsa -out server.key
openssl req -key server.key -new -out server.req -subj "/C=$C/ST=$ST/L=$L/O=$O/CN=$CN" -passout pass:password
openssl x509 -req -in server.req -CA ca.pem -CAkey privkey.pem -CAserial file.srl -out server.pem -passin pass:password
openssl genrsa -out client.key
openssl req -key client.key -new -out client.req -subj "/C=$C/ST=$ST/L=$L/O=$O/CN=socket-adapter-client" -passout pass:password
openssl x509 -req -in client.req -CA ca.pem -CAkey privkey.pem -CAserial file.srl -out client.pem -passin pass:password
dockerdデーモンに適用します。
sudo cp ca.pem /root/.docker/
sudo cp server.key /root/.docker/key.pem
sudo cp server.pem /root/.docker/cert.pem
--tlsverify
(Alpine linux)を追加して有効にします。
PHPスクリプトから/ versionエンドポイントに正常に接続されました。
$client = (new CurlHttpClient([
// 'bindto' => '/var/run/docker.sock'
'cafile' => __DIR__ . '/../../../ssl-test/ca.pem',
'local_cert' => __DIR__ . '/../../../ssl-test/client.pem',
'local_pk' => __DIR__ . '/../../../ssl-test/client.key',
// 'verify_host' => false,
]));
$response = $client->request(
'GET',
'https://192.168.56.10:2376/version'
);
通常のコマンドを使用してその接続を確立したいが、どの組み合わせまたはオプションを使用しcurl
てもエラーが発生します。動作する接続を作成するには、出力ファイルをどのようにまとめる必要がありますか?--cacert
--cert
編集 > システム: WSL2 Ubuntu 22.04.3 LTS
答え1
curl -vv
多くの助けになりました。私はそれが証明書の特定の形式を期待していると考えており、1つcurl
のファイルに秘密鍵client.key
(pkey)と(cert)の両方が必要であることがわかりました。client.pem
[~] cat client.pem >> cert-and-key.pem
[~] cat client.key >> cert-and-key.pem
[~] curl -vv --cacert ca.pem --cert cert-and-key.pem https://192.168.56.10:2376/version
注:または--cacert ca.pem
代わりに使用することもできます(推奨されていません)。-k
--insecure
出力:
* Trying 192.168.56.10:2376...
* Connected to 192.168.56.10 (192.168.56.10) port 2376 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* CAfile: ca.pem
* CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, CERT verify (15):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=PL; ST=Mazovia; L=Warsaw; O=PHP-HTTP; CN=192.168.56.10
* start date: Dec 2 23:15:27 2023 GMT
* expire date: Jan 1 23:15:27 2024 GMT
* common name: 192.168.56.10 (matched)
* issuer: C=PL; ST=Mazovia; L=Warsaw; O=PHP-HTTP; CN=socket-server
* SSL certificate verify ok.
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET /version HTTP/1.1
> Host: 192.168.56.10:2376
> User-Agent: curl/7.81.0
> Accept: */*
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Api-Version: 1.42
< Content-Type: application/json
< Docker-Experimental: false
< Ostype: linux
< Server: Docker/23.0.6 (linux)
< Date: Sun, 03 Dec 2023 15:23:48 GMT
< Content-Length: 873
<
{"Platform":{"Name":""},"Components":[{"Name":"Engine","Version":"23.0.6","Details":{"ApiVersion":"1.42","Arch":"amd64","BuildTime":"2023-10-12T14:14:03.000000000+00:00","Experimental":"false","GitCommit":"9dbdbd4b6d7681bd18c897a6ba0376073c2a72ff","GoVersion":"go1.20.10","KernelVersion":"6.1.60-0-virt","MinAPIVersion":"1.12","Os":"linux"}},{"Name":"containerd","Version":"v1.7.2","Details":{"GitCommit":"0cae528dd6cb557f7201036e9f43420650207b58"}},{"Name":"runc","Version":"1.1.7","Details":{"GitCommit":"860f061b76bb4fc671f0f9e900f7d80ff93d4eb7"}},{"Name":"docker-init","Version":"0.19.0","Details":{"GitCommit":""}}],"Version":"23.0.6","ApiVersion":"1.42","MinAPIVersion":"1.12","GitCommit":"9dbdbd4b6d7681bd18c897a6ba0376073c2a72ff","GoVersion":"go1.20.10","Os":"linux","Arch":"amd64","KernelVersion":"6.1.60-0-virt","BuildTime":"2023-10-12T14:14:03.000000000+00:00"}
* Connection #0 to host 192.168.56.10 left intact