问题
AWS console(EC2 dashboard) shows public DNS name as ec2-99-xx-xx-xx.ca-central-1.compute.amazonaws.com for an EC2 instance.
But the same AWS EC2 has a different DNS name (shown below):
$ hostname -f
ip-172-xx-xx-xx.ca-central-1.compute.internal
compared to DNS name shown at AWS console.
EC2 is created in default VPC.
AWS documentation says... When you launch an instance, we allocate a primary private IPv4 address for the instance. Each instance is also given an internal DNS hostname that resolves to the primary private IPv4 address; for example, ip-10-251-50-12.ec2.internal. You can use the internal DNS hostname for communication between instances in the same VPC, but we can't resolve the internal DNS hostname outside of the VPC.
Each instance that receives a public IP address is also given an external DNS hostname; for example, ec2-203-0-113-25.compute-1.amazonaws.com. We resolve an external DNS hostname to the public IP address of the instance from outside its VPC, and to the private IPv4 address of the instance from inside its VPC. The public IP address is mapped to the primary private IP address through network address translation (NAT)
Before geenrating certificate for docker daemon with below command:
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=daemon daemon-csr.json | cfssljson -bare daemon
we need to add CN attribute in daemon-csr.json
hostname -f has different domain compared to DNS name shown in AWS console.
1)
As EC2 has multiple DNS names(.internal & public DNS), which DNS name should be assigned to CN attribute? ip-172-xx-xx-xx.ca-central-1.compute.internal or ec2-99-xx-xx-xx.ca-central-1.compute.amazonaws.com
2)
If CN is ip-172-xx-xx-xx.ca-central-1.compute.internal then , does remote docker client connect with docker daemon after setting export DOCKER_HOST=tcp://ec2-99-xx-xx-xx.ca-central-1.compute.amazonaws.com DOCKER_TLS_VERIFY=1?
来源:https://stackoverflow.com/questions/57981385/tls-certificate-how-to-assign-a-dns-name-for-cn-attribute