96 lines
3.5 KiB
Bash
Executable File
96 lines
3.5 KiB
Bash
Executable File
#!/bin/bash
|
|
# Docker TLS Certificate Generation Script
|
|
# Generates CA, server, and client certificates for secure Docker API access
|
|
|
|
set -e
|
|
|
|
CERTS_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)/certs"
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
|
|
# Configuration
|
|
DAYS=3650 # 10 years
|
|
COUNTRY="NO"
|
|
STATE="Norway"
|
|
CITY="Oslo"
|
|
ORG="Lovdata Chat"
|
|
OU="DevOps"
|
|
EMAIL="admin@lovdata-chat.local"
|
|
|
|
# Environment-specific settings
|
|
ENVIRONMENT="${DOCKER_ENV:-development}"
|
|
DOCKER_HOST_IP="${DOCKER_HOST_IP:-127.0.0.1}"
|
|
DOCKER_HOST_NAME="${DOCKER_HOST_NAME:-localhost}"
|
|
|
|
echo "Generating Docker TLS certificates for environment: $ENVIRONMENT"
|
|
echo "Certificate directory: $CERTS_DIR"
|
|
|
|
# Create certificates directory
|
|
mkdir -p "$CERTS_DIR"
|
|
|
|
# Generate CA private key and certificate
|
|
echo "Generating CA certificate..."
|
|
openssl genrsa -aes256 -passout pass:password -out "$CERTS_DIR/ca-key.pem" 4096
|
|
openssl req -new -x509 -days $DAYS -key "$CERTS_DIR/ca-key.pem" -passin pass:password -sha256 \
|
|
-subj "/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORG/OU=$OU/CN=Docker-CA-$ENVIRONMENT/emailAddress=$EMAIL" \
|
|
-out "$CERTS_DIR/ca.pem"
|
|
|
|
# Generate server private key and certificate
|
|
echo "Generating server certificate..."
|
|
openssl genrsa -out "$CERTS_DIR/server-key.pem" 4096
|
|
|
|
# Create server certificate signing request
|
|
openssl req -subj "/CN=$DOCKER_HOST_NAME" -new -key "$CERTS_DIR/server-key.pem" \
|
|
-out "$CERTS_DIR/server.csr"
|
|
|
|
# Create server extensions file
|
|
cat > "$CERTS_DIR/server-extfile.cnf" << EOF
|
|
subjectAltName = IP:$DOCKER_HOST_IP,DNS:$DOCKER_HOST_NAME,DNS:localhost,IP:127.0.0.1
|
|
extendedKeyUsage = serverAuth
|
|
EOF
|
|
|
|
# Sign server certificate
|
|
openssl x509 -req -days $DAYS -in "$CERTS_DIR/server.csr" -CA "$CERTS_DIR/ca.pem" \
|
|
-CAkey "$CERTS_DIR/ca-key.pem" -passin pass:password -CAcreateserial \
|
|
-out "$CERTS_DIR/server-cert.pem" -sha256 -extfile "$CERTS_DIR/server-extfile.cnf"
|
|
|
|
# Generate client private key and certificate
|
|
echo "Generating client certificate..."
|
|
openssl genrsa -out "$CERTS_DIR/client-key.pem" 4096
|
|
|
|
# Create client certificate signing request
|
|
openssl req -subj "/CN=docker-client-$ENVIRONMENT" -new -key "$CERTS_DIR/client-key.pem" \
|
|
-out "$CERTS_DIR/client.csr"
|
|
|
|
# Create client extensions file
|
|
cat > "$CERTS_DIR/client-extfile.cnf" << EOF
|
|
extendedKeyUsage = clientAuth
|
|
EOF
|
|
|
|
# Sign client certificate
|
|
openssl x509 -req -days $DAYS -in "$CERTS_DIR/client.csr" -CA "$CERTS_DIR/ca.pem" \
|
|
-CAkey "$CERTS_DIR/ca-key.pem" -passin pass:password -CAcreateserial \
|
|
-out "$CERTS_DIR/client-cert.pem" -sha256 -extfile "$CERTS_DIR/client-extfile.cnf"
|
|
|
|
# Clean up temporary files
|
|
rm -f "$CERTS_DIR/ca.srl" "$CERTS_DIR/server.csr" "$CERTS_DIR/client.csr"
|
|
rm -f "$CERTS_DIR/server-extfile.cnf" "$CERTS_DIR/client-extfile.cnf"
|
|
|
|
# Set proper permissions
|
|
chmod 0400 "$CERTS_DIR/ca-key.pem" "$CERTS_DIR/server-key.pem" "$CERTS_DIR/client-key.pem"
|
|
chmod 0444 "$CERTS_DIR/ca.pem" "$CERTS_DIR/server-cert.pem" "$CERTS_DIR/client-cert.pem"
|
|
|
|
echo "Certificate generation complete!"
|
|
echo ""
|
|
echo "Generated files:"
|
|
echo " CA Certificate: $CERTS_DIR/ca.pem"
|
|
echo " Server Certificate: $CERTS_DIR/server-cert.pem"
|
|
echo " Server Key: $CERTS_DIR/server-key.pem"
|
|
echo " Client Certificate: $CERTS_DIR/client-cert.pem"
|
|
echo " Client Key: $CERTS_DIR/client-key.pem"
|
|
echo ""
|
|
echo "Environment variables for docker-compose.yml:"
|
|
echo " DOCKER_TLS_VERIFY=1"
|
|
echo " DOCKER_CERT_PATH=$CERTS_DIR"
|
|
echo " DOCKER_HOST=tcp://$DOCKER_HOST_IP:2376"
|
|
echo ""
|
|
echo "For production, ensure certificates are securely stored and rotated regularly." |