Note:
This topic has been translated from a Chinese forum by GPT and might contain errors.
Original topic: tidb集群证书问题求助
After enabling enable_tls: true, TiKV and PD each have their own certificate, and there is another certificate displayed by tiup.
The information from tiup cluster display xxxxX is as follows:
Cluster type: tidb
Cluster name: xxxxX
Cluster version: v6.5.0
Deploy user: tikvxxxx
SSH type: builtin
TLS encryption: enabled
CA certificate: /root/.tiup/storage/cluster/clusters/xxxxX/tls/ca.crt
Client private key: /root/.tiup/storage/cluster/clusters/X/tls/client.pem
Client certificate: /root/.tiup/storage/cluster/clusters/X/tls/client.crt
- What are the purposes of these three certificates?
- What values should be configured for the
cert-allowed-cn in TiKV and PD?
Could you please help explain how to configure the cert-allowed-cn setting? I configured the CN of the PD certificate in the TiKV configuration and the CN of the TiKV certificate in the PD configuration, but I found that PD still rejects TiKV’s requests. Thank you very much.
How about trying to configure it like this?
If you use cfssl, you must use the same CA (Certification Authority) as the original cluster. You need to follow steps 5 to 7 in the Issuing Certificates Using the cfssl System documentation to complete the certificate issuance between components of the new cluster.
tikv-ctl provides the following two operating modes:
- Remote mode. Accepts the TiKV service address as a parameter through the
--host option. In this mode, if TiKV has SSL enabled, tikv-ctl also needs to specify the relevant certificate files, for example:
tikv-ctl --ca-path ca.pem --cert-path client.pem --key-path client-key.pem --host 127.0.0.1:20160 <subcommands>
In some cases, tikv-ctl communicates with PD instead of TiKV. In this case, you need to use the --pd option instead of the --host option, for example:
tikv-ctl --pd 127.0.0.1:2379 compact-cluster
store:"127.0.0.1:20160" compact db:KV cf:default range:([], []) success!
- Local mode:
- Use the
--data-dir option to specify the directory path of the local TiKV data.
- Use the
--config option to specify the path to the local TiKV configuration file. In this mode, you need to stop the running TiKV instance.
Unless otherwise specified, all commands support both modes.
Additionally, tikv-ctl has two simple commands --to-hex and --to-escaped for simple transformations of key forms. Generally, the escaped form is used, as shown below:
tikv-ctl --to-escaped 0xaaff
\252\377
tikv-ctl --to-hex "\252\377"
AAFF
Note
When specifying the escaped form of the key on the command line, you need to enclose it in double quotes, otherwise bash will eat the backslashes, resulting in an error.
There is actually such a document: 生成自签名证书 | PingCAP 文档中心
Does PD not have the cert-allowed-cn command? Will it prompt an authentication error when enabled?
I’ll write a part of it, tikv’s cert-allowed-cn:
It can be configured as the hostname, host IP, or DNS name of the PD server.
This setting is used to control the TiKV connection to the PD server. The connection will only be trusted if the server’s hostname or IP matches this configuration.
Ask again, if PD also needs to verify the client’s identity, how should it be configured? Thanks!!!
|
username: 月明星稀
|
username: 
|
username: 
|
username: