136 lines
3.0 KiB
Bash
Executable File
136 lines
3.0 KiB
Bash
Executable File
#!/usr/bin/env sh
|
|
|
|
# This script generates an openSSL key pair which can be used to expose a
|
|
# Docker API over the internet.
|
|
|
|
|
|
# Defaults
|
|
days=365
|
|
|
|
|
|
# Displays how to use the program
|
|
function usage() {
|
|
cat << EOF
|
|
This script generates OpenSSL certificate pairs which can be used to expose a
|
|
Docker API.
|
|
|
|
Usage: $0 [-h] [-d DAYS] HOST IP [CERTDIR]
|
|
|
|
HOST domain name where your machine is accessible
|
|
IP public IP of the machine to expose
|
|
CERTDIR directory where the certificates will reside on the machine. If
|
|
specified, a startup_options.conf file is created for you, which
|
|
can then be copied over to the host.
|
|
|
|
-h show this message
|
|
-d how many days the certificate will be valid; defaults to 365
|
|
EOF
|
|
exit 1
|
|
}
|
|
|
|
|
|
while getopts ':hd:' c; do
|
|
case $c in
|
|
h ) usage ;;
|
|
d ) days="$OPTARG" ;;
|
|
esac
|
|
done
|
|
shift $((OPTIND - 1))
|
|
|
|
host="$1"
|
|
ip="$2"
|
|
certdir="$3"
|
|
|
|
# Check for correct amount of arguments
|
|
[ $# -lt 2 ] && [ $# -gt 3 ] && usage
|
|
|
|
|
|
# =====SERVER-SIDE=====
|
|
# Generate CA key
|
|
openssl genrsa \
|
|
-aes256 \
|
|
-out ca-key.pem \
|
|
4096
|
|
openssl req \
|
|
-new \
|
|
-x509 \
|
|
-days "$days" \
|
|
-key ca-key.pem \
|
|
-sha256 \
|
|
-out ca.pem
|
|
|
|
# Generate server key
|
|
openssl genrsa \
|
|
-out server-key.pem \
|
|
4096
|
|
openssl req \
|
|
-subj "/CN=$host" \
|
|
-sha256 \
|
|
-new \
|
|
-key server-key.pem \
|
|
-out server.csr
|
|
|
|
# Create extfile.cnf
|
|
echo subjectAltName = "DNS:$host,IP:$ip,IP:127.0.0.1" > extfile.cnf
|
|
echo extendedKeyUsage = serverAuth >> extfile.cnf
|
|
|
|
# Generate server-side certificate
|
|
openssl x509 \
|
|
-req \
|
|
-days "$days" \
|
|
-sha256 \
|
|
-in server.csr \
|
|
-CA ca.pem \
|
|
-CAkey ca-key.pem \
|
|
-CAcreateserial \
|
|
-out server-cert.pem \
|
|
-extfile extfile.cnf
|
|
|
|
|
|
# =====CLIENT-SIDE=====
|
|
# Generate key & csr
|
|
openssl genrsa \
|
|
-out key.pem \
|
|
4096
|
|
openssl req \
|
|
-subj '/CN=client' \
|
|
-new \
|
|
-key key.pem \
|
|
-out client.csr
|
|
|
|
# Create extfile-client.cnf
|
|
echo extendedKeyUsage = clientAuth > extfile-client.cnf
|
|
|
|
# Generate certificate
|
|
openssl x509 \
|
|
-req \
|
|
-days "$days" \
|
|
-sha256 \
|
|
-in client.csr \
|
|
-CA ca.pem \
|
|
-CAkey ca-key.pem \
|
|
-CAcreateserial \
|
|
-out cert.pem \
|
|
-extfile extfile-client.cnf
|
|
|
|
# Create startup_options.conf
|
|
if [ -n "$certdir" ]; then
|
|
cat > startup_options.conf << EOF
|
|
[Service]
|
|
ExecStart=
|
|
ExecStart=/usr/sbin/dockerd --tlsverify --tlscacert='$certdir/ca.pem' --tlscert='$certdir/server-cert.pem' --tlskey='$certdir/server-key.pem' -H fd:// -H tcp://0.0.0.0:2376
|
|
EOF
|
|
|
|
echo "Copy 'ca.pem', 'server-cert.pem' and 'server-key.pem' over to '$certdir' on the machine."
|
|
echo "'startup_options.conf' should be placed in '/etc/systemd/system/docker.service.d/startup_options.conf'."
|
|
|
|
else
|
|
echo "Copy 'ca.pem', 'server-cert.pem' and 'server-key.pem' over to the chosen directory on the machine."
|
|
echo "Create a 'startup_options.conf' file as specified."
|
|
|
|
fi
|
|
|
|
echo "Now, you can restart the Docker daemon using:"
|
|
echo " systemctl daemon-reload"
|
|
echo " systemctl restart docker.service"
|