From d14414365e8fa9590e46b63a29754fb29f81778c Mon Sep 17 00:00:00 2001 From: gaoruoshu Date: Wed, 16 Feb 2022 14:41:47 +0800 Subject: [PATCH] add FAQ and self signature certificate manufacturing --- Documentation/UserGuide/A-Tune-User-Guide.md | 70 ++++++++++++++++++ ...50\346\210\267\346\214\207\345\215\227.md" | 72 +++++++++++++++++++ 2 files changed, 142 insertions(+) diff --git a/Documentation/UserGuide/A-Tune-User-Guide.md b/Documentation/UserGuide/A-Tune-User-Guide.md index cd99cd4..cbb9d66 100644 --- a/Documentation/UserGuide/A-Tune-User-Guide.md +++ b/Documentation/UserGuide/A-Tune-User-Guide.md @@ -1235,6 +1235,12 @@ Perform tuning. 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ``` +**Q4: The atuned or atune-engine service cannot be started, and the message "Startup failed. Please provide the authentication certificate." is displayed.** + +**Cause:** Missing the certificate file during communication. The default communication protocol of REST APIs in the atuned or atune-engine service is HTTPS. + +**Solution:** Providing the certificate file issued by the authority and saving it to the corresponding configuration directory. The default certificate directory of the atuned service is /etc/atuned/rest_certs/, and the default certificate directory of the atune-engine service is /etc/atuned/engine_certs/. You can also change the default certificate directory and certificate file name in the atuned.cnf and engine.cnf files under the /etc/atuned/ directory. For the development and commissioning environment, you can also make self-service signature certificate by following section 5.2. + # 5 Appendixes @@ -1248,3 +1254,67 @@ Perform tuning. | profile | Set of optimization items and optimal parameter configuration. | +## 5.2 Self-signature Certificate Manufacturing Method + +### 5.2.1 Creating a Certificate Directory + +```shell +CERT_PATH=demo +mkdir $CERT_PATH +``` + +### 5.2.2 Generating the RSA Key Pair for the CA + +```shell +openssl genrsa -out $CERT_PATH/ca.key 2048 +``` + +### 5.2.3 Generating the CA Root Certificate + +```shell +openssl req -new -x509 -days 3650 -subj "/CN=ca" -key $CERT_PATH/ca.key -out $CERT_PATH/ca.crt +``` + +### 5.2.4 Generating the Server Certificate + +```shell +# The IP address can be changed according to the actual situation. +IP_ADDR=localhost +openssl genrsa -out $CERT_PATH/server.key 2048 +cp /etc/pki/tls/openssl.cnf $CERT_PATH +if test $IP_ADDR == localhost; then + echo "[SAN]\nsubjectAltName=DNS:$IP_ADDR" >> $CERT_PATH/openssl.cnf + echo "subjectAltName=DNS:$IP_ADDR" > $CERT_PATH/extfile.cnf +else + echo "[SAN]\nsubjectAltName=IP:$IP_ADDR" >> $CERT_PATH/openssl.cnf + echo "subjectAltName=IP:$IP_ADDR" > $CERT_PATH/extfile.cnf +fi +openssl req -new -subj "/CN=$IP_ADDR" -config $CERT_PATH/openssl.cnf \ + -key $CERT_PATH/server.key -out $CERT_PATH/server.csr +openssl x509 -req -sha256 -CA $CERT_PATH/ca.crt -CAkey $CERT_PATH/ca.key -CAcreateserial -days 3650 \ + -extfile $CERT_PATH/extfile.cnf -in $CERT_PATH/server.csr -out $CERT_PATH/server.crt +rm -rf $CERT_PATH/*.srl $CERT_PATH/*.csr $CERT_PATH/*.cnf +``` + +### 5.2.5 Generating the Client Certificate + +```shell +# The IP address can be changed according to the actual situation. +IP_ADDR=localhost +openssl genrsa -out $CERT_PATH/client.key 2048 +cp /etc/pki/tls/openssl.cnf $CERT_PATH +if test $IP_ADDR == localhost; then + echo "[SAN]\nsubjectAltName=DNS:$IP_ADDR" >> $CERT_PATH/openssl.cnf + echo "subjectAltName=DNS:$IP_ADDR" > $CERT_PATH/extfile.cnf +else + echo "[SAN]\nsubjectAltName=IP:$IP_ADDR" >> $CERT_PATH/openssl.cnf + echo "subjectAltName=IP:$IP_ADDR" > $CERT_PATH/extfile.cnf +fi +openssl req -new -subj "/CN=$IP_ADDR" -config $CERT_PATH/openssl.cnf \ + -key $CERT_PATH/client.key -out $CERT_PATH/client.csr +openssl x509 -req -sha256 -CA $CERT_PATH/ca.crt -CAkey $CERT_PATH/ca.key -CAcreateserial -days 3650 \ + -extfile $CERT_PATH/extfile.cnf -in $CERT_PATH/client.csr -out $CERT_PATH/client.crt +rm -rf $CERT_PATH/*.srl $CERT_PATH/*.csr $CERT_PATH/*.cnf +``` + + diff --git "a/Documentation/UserGuide/A-Tune\347\224\250\346\210\267\346\214\207\345\215\227.md" "b/Documentation/UserGuide/A-Tune\347\224\250\346\210\267\346\214\207\345\215\227.md" index 59b25e0..064708c 100644 --- "a/Documentation/UserGuide/A-Tune\347\224\250\346\210\267\346\214\207\345\215\227.md" +++ "b/Documentation/UserGuide/A-Tune\347\224\250\346\210\267\346\214\207\345\215\227.md" @@ -1247,6 +1247,15 @@ evaluations : 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ``` +**问题4:atuned或atune-engine服务无法启动,提示“Startup failed. Please provide the authentication certificate.”。** + +**原因:** atuned或atune-engine服务中的REST API默认通信协议为https,通信中缺少证书文件 + +**解决方法:** 用户提供权威机构签发的证书文件并放入对应的配置目录下,其中atuned服务的默认证书>目录为/etc/atuned/rest_certs/,atune-engine服务的默认证书目录为/etc/atuned/engine_certs/,也可 +以通过/etc/atuned/目录下的atuned.cnf和engine.cnf配置文件修改默认证书目录和证书文件名。对于开发 +调试环境也可以通过5.2节方法制作的自签名证书进行服务通信。 + + # 5 附录 ## 5.1 术语和缩略语 @@ -1258,3 +1267,66 @@ evaluations : | profile | 优化项集合,最佳的参数配置 | +## 5.2 自签名证书制作方法 + +### 5.2.1 证书目录创建 + +```shell +CERT_PATH=demo +mkdir $CERT_PATH +``` + +### 5.2.2 生成CA的RSA密钥对 + +```shell +openssl genrsa -out $CERT_PATH/ca.key 2048 +``` + +### 5.2.3 生成CA根证书 + +```shell +openssl req -new -x509 -days 3650 -subj "/CN=ca" -key $CERT_PATH/ca.key -out $CERT_PATH/ca.crt +``` + +### 5.2.4 生成服务器证书 + +```shell +# ip地址可以根据实际情况修改 +IP_ADDR=localhost +openssl genrsa -out $CERT_PATH/server.key 2048 +cp /etc/pki/tls/openssl.cnf $CERT_PATH +if test $IP_ADDR == localhost; then + echo "[SAN]\nsubjectAltName=DNS:$IP_ADDR" >> $CERT_PATH/openssl.cnf + echo "subjectAltName=DNS:$IP_ADDR" > $CERT_PATH/extfile.cnf +else + echo "[SAN]\nsubjectAltName=IP:$IP_ADDR" >> $CERT_PATH/openssl.cnf + echo "subjectAltName=IP:$IP_ADDR" > $CERT_PATH/extfile.cnf +fi +openssl req -new -subj "/CN=$IP_ADDR" -config $CERT_PATH/openssl.cnf \ + -key $CERT_PATH/server.key -out $CERT_PATH/server.csr +openssl x509 -req -sha256 -CA $CERT_PATH/ca.crt -CAkey $CERT_PATH/ca.key -CAcreateserial -days 3650 \ + -extfile $CERT_PATH/extfile.cnf -in $CERT_PATH/server.csr -out $CERT_PATH/server.crt +rm -rf $CERT_PATH/*.srl $CERT_PATH/*.csr $CERT_PATH/*.cnf +``` + +### 5.2.5 生成客户端证书 + +```shell +# ip地址可以根据实际情况修改 +IP_ADDR=localhost +openssl genrsa -out $CERT_PATH/client.key 2048 +cp /etc/pki/tls/openssl.cnf $CERT_PATH +if test $IP_ADDR == localhost; then + echo "[SAN]\nsubjectAltName=DNS:$IP_ADDR" >> $CERT_PATH/openssl.cnf + echo "subjectAltName=DNS:$IP_ADDR" > $CERT_PATH/extfile.cnf +else + echo "[SAN]\nsubjectAltName=IP:$IP_ADDR" >> $CERT_PATH/openssl.cnf + echo "subjectAltName=IP:$IP_ADDR" > $CERT_PATH/extfile.cnf +fi +openssl req -new -subj "/CN=$IP_ADDR" -config $CERT_PATH/openssl.cnf \ + -key $CERT_PATH/client.key -out $CERT_PATH/client.csr +openssl x509 -req -sha256 -CA $CERT_PATH/ca.crt -CAkey $CERT_PATH/ca.key -CAcreateserial -days 3650 \ + -extfile $CERT_PATH/extfile.cnf -in $CERT_PATH/client.csr -out $CERT_PATH/client.crt +rm -rf $CERT_PATH/*.srl $CERT_PATH/*.csr $CERT_PATH/*.cnf +``` + -- 2.30.0