Created
January 14, 2020 20:48
-
-
Save JeffLabonte/795940fc01a012fb27e08ac1d79e9bd6 to your computer and use it in GitHub Desktop.
Scripts used to create registry using a self-signed certificate
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [req] | |
| distinguished_name = req_distinguished_name | |
| req_extensions = v3_req | |
| x509_extensions = v3_ca | |
| prompt = no | |
| [req_distinguished_name] | |
| C = CA | |
| ST = Chemin Ste-Foy | |
| L = Quebec city | |
| O = registry.local | |
| OU = CA | |
| CN = registry.local | |
| [v3_req] | |
| keyUsage = keyEncipherment, dataEncipherment, keyCertSign | |
| extendedKeyUsage = serverAuth | |
| subjectAltName = @alt_names | |
| [ v3_ca ] | |
| subjectKeyIdentifier=hash | |
| authorityKeyIdentifier=keyid:always,issuer | |
| basicConstraints = CA:true | |
| [alt_names] | |
| DNS.1 = registry.local |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| docker run -d -p 5000:5000 \ | |
| -v /data/docker/:/var/lib/registry \ | |
| -v /certs:/certs \ | |
| --restart=always --name registry \ | |
| -e REGISTRY_HTTP_ADDR=0.0.0.0:5000 \ | |
| -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/server-cert.pem \ | |
| -e REGISTRY_HTTP_TLS_KEY=/certs/server-key.pem \ | |
| registry:2 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| set -e | |
| openssl genrsa -out ca-privkey.pem 2048 | |
| openssl req -config ./ca.conf -new -x509 -key ca-privkey.pem \ | |
| -out cacert.pem -days 365 | |
| openssl req -config ./server.conf -newkey rsa:2048 -days 365 \ | |
| -nodes -keyout server-key.pem -out server-req.pem | |
| openssl rsa -in server-key.pem -out server-key.pem | |
| openssl x509 -req -in server-req.pem \ | |
| -CA cacert.pem -CAkey ca-privkey.pem \ | |
| -set_serial 01 -out server-cert.pem \ | |
| -extfile server.conf | |
| echo "INFO: print cacert.pem..." | |
| openssl x509 -text -in cacert.pem -noout | |
| echo "INFO: print server-req.pem..." | |
| openssl req -text -in server-req.pem -noout | |
| echo "INFO: print server-cert.pem..." | |
| openssl x509 -text -in server-cert.pem -noout | |
| openssl verify -verbose -CAfile ./cacert.pem server-cert.pem | |
| echo "INFO: updating local CA..." | |
| # Have to use .crt file name for update command to work | |
| sudo mkdir -p /certs && sudo chown $USER:docker /certs | |
| for pem in $(ls *.pem); do | |
| cp $pem /certs | |
| done | |
| sudo cp cacert.pem /usr/local/share/ca-certificates/cacert.crt | |
| sudo update-ca-certificates | |
| echo "INFO: restarting docker" | |
| sudo service docker restart |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [req] | |
| distinguished_name = req_distinguished_name | |
| x509_extensions = v3_req | |
| prompt = no | |
| [req_distinguished_name] | |
| C = CA | |
| ST = Chemin Ste-Foy | |
| L = Quebec city | |
| O = Example.com | |
| OU = Docker | |
| CN = registry.local | |
| [v3_req] | |
| keyUsage = keyEncipherment, dataEncipherment | |
| extendedKeyUsage = serverAuth | |
| subjectAltName = @alt_names | |
| basicConstraints = CA:FALSE | |
| [alt_names] | |
| #DNS.1 = registry.example.com | |
| IP.1 = 10.137.184.142 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment