Posted Updated 6 minutes read (About 861 words)

NeuVector 替换内部证书

NeuVector 包含用于 Manager(控制台/UI 访问)、Controller(REST API、内部通信)、Enforcer(内部通信)和 Scanner(内部通信)的通信加密证书。

NeuVector v5.4.2 及更高版本要求在使用 NeuVector 前生成/替换内部证书。2025 年 3 月之后,NeuVector v5.4.2 之前的版本也要求在使用 NeuVector 前生成/替换内部证书。

参考文档:https://open-docs.neuvector.com/5.4/deploying/production/internal

问题现象

如果使用的是低于 v5.4.2 的 NeuVector,并且仍然使用最初自动生成的内部证书,当证书过期后,NeuVector 各组件之间的通信会出现 TLS 验证失败。

典型报错如下:

1
2026-05-21T06:37:44.875Z [ERROR] agent.server.rpc: failed to read byte: conn=from=10.42.74.158:51907 error="tls: failed to verify client certificate: x509: certificate has expired or is not yet valid: current time 2026-05-21T06:37:44Z is after 2026-05-17T02:21:44Z"

该问题是由于内部证书 /etc/neuvector/certs/internal/ca.cert 已经过期导致:

1
2
3
4
5
openssl x509 -in ca.cert -noout -text
        Issuer: C = US, ST = California, O = NeuVector Inc., CN = NeuVector
        Validity
            Not Before: May 19 02:21:44 2016 GMT
            Not After : May 17 02:21:44 2026 GMT

如果暂时不打算升级 NeuVector,则需要手动生成新的内部证书并进行替换。

解决方案

使用自签名证书替换内部证书

生成证书:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
cat <<EOF > ca.cfg
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no

[req_distinguished_name]
C = US
ST = California
L = San Jose
O = NeuVector Inc.
OU = Neuvector
CN = Neuvector

[v3_req]
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = Neuvector
EOF

openssl genrsa -out ca.key 2048

openssl req -x509 -sha256 -new -nodes -key ca.key -days 3650 -out ca.crt \
  -subj "/C=US/ST=California/L=San Jose/O=NeuVector Inc./OU=Neuvector/CN=Neuvector"

openssl genrsa -out tls.key 2048

openssl req -new -key tls.key -sha256 -out cert.csr -config ca.cfg

openssl req -in cert.csr -noout -text

openssl x509 -req -sha256 -in cert.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out tls.crt -days 3650 -extensions 'v3_req' -extfile ca.cfg

openssl x509 -in tls.crt -text

创建 Secret:

1
2
3
4
5
NAMESPACE=xxx
kubectl -n $NAMESPACE create secret generic internal-cert \
  --from-file=tls.key=tls.key \
  --from-file=tls.crt=tls.crt \
  --from-file=ca.crt=ca.crt

编辑 Helm Chart 的 values.yaml,在原有配置的基础上新增如下配置:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
controller:
  # 新增如下配置
  internal:
    certificate:
      caFile: ca.crt
      keyFile: tls.key
      pemFile: tls.crt
      secret: "internal-cert"
cve:
  scanner:
    # 新增如下配置
    internal:
      certificate:
        caFile: ca.crt
        keyFile: tls.key
        pemFile: tls.crt
        secret: "internal-cert"
enforcer:
  # 新增如下配置
  internal:
    certificate:
      caFile: ca.crt
      keyFile: tls.key
      pemFile: tls.crt
      secret: "internal-cert"

随后执行 Helm Upgrade 即可。

使用私有 CA 下发证书

如果环境中已经存在私有 CA,则可以直接使用私有 CA 下发 NeuVector 内部通信证书。

生成证书:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
cat <<EOF > ca.cfg
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no

[req_distinguished_name]
C = US
ST = California
L = San Jose
O = NeuVector Inc.
OU = Neuvector
CN = Neuvector

[v3_req]
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = Neuvector
EOF

openssl genrsa -out tls.key 2048

openssl req -new -key tls.key -sha256 -out cert.csr -config ca.cfg

# 假设 CA 文件为 cacerts.pem,CA 私钥文件为 cakey.pem
openssl x509 -req -sha256 -in cert.csr -CA cacerts.pem -CAkey cakey.pem -CAcreateserial -out tls.crt -days 3650 -extensions 'v3_req' -extfile ca.cfg

# 验证证书
openssl verify -CAfile cacerts.pem tls.crt

创建 Secret:

1
2
3
4
5
NAMESPACE=xxx
kubectl -n $NAMESPACE create secret generic internal-cert \
  --from-file=tls.key=tls.key \
  --from-file=tls.crt=tls.crt \
  --from-file=ca.crt=cacerts.pem

后续 Helm Chart 配置与自签名证书方案保持一致。

Docker 部署的 NeuVector 替换内部证书

可以参考:https://warnerchen.github.io/2024/11/07/Docker-%E9%83%A8%E7%BD%B2-NeuVector/#%E4%BD%BF%E7%94%A8-v5-4-2-%E7%89%88%E6%9C%AC%E8%B5%B7%E7%9A%84%E6%B3%A8%E6%84%8F%E4%BA%8B%E9%A1%B9

NeuVector 替换内部证书

https://warnerchen.github.io/2026/05/21/NeuVector-替换内部证书/

Author

Warner Chen

Posted on

2026-05-21

Updated on

2026-05-21

Licensed under

#
You need to set install_url to use ShareThis. Please set it in _config.yml.

Like this article? Support the author with

You forgot to set the business or currency_code for Paypal. Please set it in _config.yml.

Comments

You forgot to set the shortname for Disqus. Please set it in _config.yml.
Follow

Links

Subscribe for updates

You need to set client_id and slot_id to show this AD unit. Please set it in _config.yml.

follow.it

Recents

Archives

Tags

about1
ai6
cloud native41
coding1
google1
linux12
network1
others2
redhat1
suse57
面试1
×