Когда я получаю доступ к API-серверу kubernetes (v1.15), используя эту команду на сервере (CentOS 7.4):
curl -v --cacert /etc/kubernetes/cert/kubernetes.pem https://172.19.104.231:6443
Вывод так:
[root@ops001 cert]# curl -v --cacert /etc/kubernetes/cert/kubernetes.pem https://172.19.104.231:6443
* About to connect() to 172.19.104.231 port 6443 (#0)
* Trying 172.19.104.231...
* Connected to 172.19.104.231 (172.19.104.231) port 6443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/kubernetes/cert/kubernetes.pem
CApath: none
* Server certificate:
* subject: CN=kubernetes,OU=4Paradigm,O=k8s,L=BeiJing,ST=BeiJing,C=CN
* start date: Sep 17 16:37:00 2019 GMT
* expire date: Sep 14 16:37:00 2029 GMT
* common name: kubernetes
* issuer: CN=kubernetes,OU=4Paradigm,O=k8s,L=BeiJing,ST=BeiJing,C=CN
* NSS error -8182 (SEC_ERROR_BAD_SIGNATURE)
* Peer's certificate has an invalid signature.
* Closing connection 0
curl: (60) Peer's certificate has an invalid signature.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
как сделать самозаверяющий сертификат работает на локальной машине с помощью curl?