红帽全球峰会此内容没有您所选择的语言版本。
10.3. SSL Certificates
There is a single SSL certificate on each node host that is used for every application host name served by the host
httpd proxy. OpenShift Enterprise supports associating a certificate with a specific application alias, distinguishing them by way of the SNI extension to the SSL protocol. However, the host-wide wildcard certificate should still be configured for use with default host names.
The certificate created by default can be used to provide an encrypted connection to applications. However, it is not properly secure and results in the following warning messages from your browser:
- The certificate common name (CN) does not match the application URL.
- The certificate is self-signed.
- Assuming the end-user accepts the certificate anyway, if the application gear is migrated between node hosts, the new host will present a different certificate from the one the browser has accepted previously.
Create a proper certificate so that application users do not receive some or all of the warning messages described above when attempting to access an application.
10.3.1. Creating a Matching Certificate
复制链接链接已复制到粘贴板!
Create, or recreate, the certificate as a wildcard for the application domain so that it matches the published OpenShift Enterprise applications. Also create a new key because the default key is only 1024 bits in size, and a minimum size of 2048 bits is required by most certificate authorities. Use the following instructions to create a matching certificate.
Note
If you use the kickstart script, the
configure_wildcard_ssl_cert_on_node function performs this step.
Procedure 10.4. To Create a Matching Certificate:
- Configure the
$domainenvironment variable to simplify the process with the following command, replacingexample.comwith the domain name to suit your environment:domain=example.com
# domain=example.comdomain=example.comCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Create the matching certificate using the following commands:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow The self-signed wildcard certificate created expires after 3650 days, or approximately 10 years. - Restart the
httpdservice:service httpd restart
# service httpd restartCopy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}