torbjorn/lovdata-chat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fixed findings from review

Browse Source
This commit is contained in:
Torbjørn Lindahl
2026-01-18 19:10:14 +01:00
parent f76328b621
commit fa2d278c79
8 changed files with 203 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

60
generate-certs.sh Executable file
View File

@@ -0,0 +1,60 @@
#!/bin/bash
# Generate TLS certificates for secure Docker communication
set -e
CERT_DIR="./docker-certs"
CA_DIR="$CERT_DIR/ca"
SERVER_DIR="$CERT_DIR/server"
CLIENT_DIR="$CERT_DIR/client"
# Create directories
mkdir -p "$CA_DIR" "$SERVER_DIR" "$CLIENT_DIR"
# Generate CA private key
openssl genrsa -out "$CA_DIR/ca-key.pem" 4096
# Generate CA certificate
openssl req -new -x509 -days 365 -key "$CA_DIR/ca-key.pem" -sha256 -out "$CA_DIR/ca.pem" -subj "/C=US/ST=CA/L=San Francisco/O=Docker/CN=docker-ca"
# Generate server private key
openssl genrsa -out "$SERVER_DIR/server-key.pem" 4096
# Generate server certificate signing request
openssl req -subj "/CN=docker-daemon" -new -key "$SERVER_DIR/server-key.pem" -out "$SERVER_DIR/server.csr"
# Create server extensions file
cat > "$SERVER_DIR/server-extfile.cnf" << EOF
subjectAltName = DNS:docker-daemon,IP:127.0.0.1,IP:172.18.0.1
extendedKeyUsage = serverAuth
EOF
# Sign server certificate
openssl x509 -req -days 365 -in "$SERVER_DIR/server.csr" -CA "$CA_DIR/ca.pem" -CAkey "$CA_DIR/ca-key.pem" -CAcreateserial -out "$SERVER_DIR/cert.pem" -extfile "$SERVER_DIR/server-extfile.cnf"
# Generate client private key
openssl genrsa -out "$CLIENT_DIR/key.pem" 4096
# Generate client certificate signing request
openssl req -subj "/CN=docker-client" -new -key "$CLIENT_DIR/key.pem" -out "$CLIENT_DIR/client.csr"
# Create client extensions file
cat > "$CLIENT_DIR/client-extfile.cnf" << EOF
extendedKeyUsage = clientAuth
EOF
# Sign client certificate
openssl x509 -req -days 365 -in "$CLIENT_DIR/client.csr" -CA "$CA_DIR/ca.pem" -CAkey "$CA_DIR/ca-key.pem" -CAcreateserial -out "$CLIENT_DIR/cert.pem" -extfile "$CLIENT_DIR/client-extfile.cnf"
# Copy CA certificate to client and server directories
cp "$CA_DIR/ca.pem" "$CLIENT_DIR/ca.pem"
cp "$CA_DIR/ca.pem" "$SERVER_DIR/ca.pem"
# Set appropriate permissions
chmod 600 "$CA_DIR/ca-key.pem" "$SERVER_DIR/server-key.pem" "$CLIENT_DIR/key.pem"
chmod 644 "$CA_DIR/ca.pem" "$SERVER_DIR/cert.pem" "$CLIENT_DIR/cert.pem"
echo "TLS certificates generated successfully in $CERT_DIR"
echo "CA certificate: $CA_DIR/ca.pem"
echo "Server cert: $SERVER_DIR/cert.pem"
echo "Client cert: $CLIENT_DIR/cert.pem"