-
Notifications
You must be signed in to change notification settings - Fork 2
/
docker-tls.sh
78 lines (63 loc) · 2.38 KB
/
docker-tls.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
#!/bin/sh
TEMP_DIR=/tmp/docker-temp
SERVER_DIR=/etc/docker/certs
CLIENT_DIR=${HOME}/.docker
CERTS_PASS=password
CERTS_NAMES=IP:127.0.0.1,DNS:localhost
CERTS_INFO="JP\n\n\n\n\n\n\n\n\n"
CERTS_DAYS=36500
if [ -n $1 ]; then
CERTS_NAMES=$CERTS_NAMES,$1
fi
#mkdir
mkdir -p $TEMP_DIR
mkdir -p $SERVER_DIR
mkdir -p $CLIENT_DIR
cd ${TEMP_DIR}
#Private
if [ -f $SERVER_DIR/private-key.pem ]; then
cp $SERVER_DIR/private-key.pem .
else
openssl genrsa -aes256 -passout pass:$CERTS_PASS -out private-key.pem 4096
fi
#MyselfCA
echo -e $CERTS_INFO | openssl req -new -x509 -passin pass:$CERTS_PASS -days $CERTS_DAYS -key private-key.pem -sha256 -out ca.pem
#Server
openssl genrsa -out server-key.pem 4096
echo -e $CERTS_INFO | openssl req -subj "/CN=server" -sha256 -new -key server-key.pem -out server.csr
echo subjectAltName = $CERTS_NAMES > extfile.cnf
openssl x509 -req -days $CERTS_DAYS -sha256 -in server.csr -CA ca.pem -CAkey private-key.pem -CAcreateserial -passin pass:$CERTS_PASS -out server-cert.pem -extfile extfile.cnf
#Client
openssl genrsa -out key.pem 4096
echo -e $CERTS_INFO | openssl req -subj '/CN=client' -new -key key.pem -out client.csr
echo extendedKeyUsage = clientAuth > extfile.cnf
openssl x509 -req -days $CERTS_DAYS -sha256 -in client.csr -CA ca.pem -CAkey private-key.pem -CAcreateserial -passin pass:$CERTS_PASS -out cert.pem -extfile extfile.cnf
#chmod
chmod 0400 private-key.pem server-key.pem key.pem
chmod 0444 ca.pem server-cert.pem cert.pem
# Server keys
cp -f ./ca.pem ${SERVER_DIR}
mv -f ./private-key.pem ${SERVER_DIR}
mv -f ./server-key.pem ${SERVER_DIR}
mv -f ./server-cert.pem ${SERVER_DIR}
# Client keys
mv -f ca.pem ${CLIENT_DIR}
mv -f cert.pem ${CLIENT_DIR}
mv -f key.pem ${CLIENT_DIR}
if [ -n $SUDO_UID -a -n $SUDO_GID ]; then
chown -R ${SUDO_UID}:${SUDO_GID} ${CLIENT_DIR}
fi
#delete temp
rm -rf ${TEMP_DIR}
echo -e "\n\n-- Create files --"
echo ${SERVER_DIR}/private-key.pem
echo ${SERVER_DIR}/ca.pem
echo ${SERVER_DIR}/server-key.pem
echo ${SERVER_DIR}/server-cert.pem
echo ${CLIENT_DIR}/ca.pem
echo ${CLIENT_DIR}/cert.pem
echo ${CLIENT_DIR}/key.pem
echo -e "\n\n-- Edit file--"
echo -e "/lib/systemd/system/docker.service\n"
echo ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=/etc/docker/certs/ca.pem --tlscert=/etc/docker/certs/server-cert.pem --tlskey=/etc/docker/certs/server-key.pem -H tcp://0.0.0.0 -H fd:// --containerd=/run/containerd/containerd.sock
echo