GroupBlog

问题描述：

在安装etcd 3.3.22 版本的时候，需要启用证书认证，于是我按此教程：Generate self-signed certificates 来生成自签名证书，用于etcd 各节点间、etcd server 与 client间的认证

当我按教程生成证书，配置etcd，启动服务后，etcd服务端则报出如下警告：

WARNING: 2020/06/28 15:58:05 grpc: addrConn.createTransport failed to connect to {0.0.0.0:5001 0  <nil>}. Err :connection error: desc = "transport: authentication handshake failed: remote error: tls: bad certificate". Reconnecting...
2020-06-28 16:00:15.047099 I | embed: rejected connection from "127.0.0.1:42457" (error "tls: failed to verify client's certificate: x509: certificate specifies an incompatible key usage", ServerName "")
WARNING: 2020/06/28 16:00:15 grpc: addrConn.createTransport failed to connect to {0.0.0.0:5001 0  <nil>}. Err :connection error: desc = "transport: authentication handshake failed: remote error: tls: bad certificate". Reconnecting...

服务一切都正常，客户端也可以正常访问，但就是会持续报出此warning。

问题原因

经过在谷歌上的不懈探索，终于在 github上找到了同样问题的issue：etcd server with TLS would start with error “tls: bad certificate”,顿时欣喜若狂。下面分享问题产生原因：

如下是etcd 客户端认证相关的配置：

client-transport-security:
  client-cert-auth: true
  trusted-ca-file: /home/work/etcd/conf/ssl/ca.pem
  cert-file: /home/work/etcd/conf/ssl/server.pem
  key-file: /home/work/etcd/conf/ssl/server-key.pem

对应于命令行参数：

--client-cert-auth \
--trusted-ca-file /etc/ssl/certs/etcd/ca.pem \
--cert-file /etc/ssl/certs/etcd/server.pem \
--key-file /etc/ssl/certs/etcd/server-key.pem \

此处配置的证书不仅用于服务端认证(server auth)，还会被用于客户端认证(client auth)，因此server 证书的配置需要同时支持 server auth 和 client auth，但是此教程：Generate self-signed certificates server 的usages只有：signing、key encipherment、server auth 这三种，缺少client auth，从而导致出现 certificate specifies an incompatible key usage警告

解决方案

修改 ca-config.json配置，将server的配置更换为如下配置：

"server": {
	"expiry": "43800h",
    "usages": [
    	"signing",
    	"key encipherment",
    	"server auth",
    	"client auth"
    ]
}

然后再重新生成服务端证书即可，用新生成的证书重新启动etcd就正常了。