Last active
January 11, 2019 13:03
-
-
Save makeros/0228edd3b0d2ecea3a54bc28912bf74f to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# Docker certificates | |
# | |
# IMPORTANT: before executing this script set a HOST environment variable to you machine (i.ex. external ip address which | |
# will be used for docker clients) | |
# For more info visit: https://docs.docker.com/engine/security/https/ | |
# | |
sudo apt-get update | |
sudo apt-get install openssl | |
openssl genrsa -aes256 -out ca-key.pem 4096 | |
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem | |
openssl genrsa -out server-key.pem 4096 | |
openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr | |
echo subjectAltName = IP:$HOST >> extfile.cnf | |
echo extendedKeyUsage = serverAuth >> extfile.cnf | |
openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \ | |
-CAcreateserial -out server-cert.pem -extfile extfile.cnf | |
openssl genrsa -out key.pem 4096 | |
openssl req -subj '/CN=client' -new -key key.pem -out client.csr | |
echo extendedKeyUsage = clientAuth > extfile-client.cnf | |
openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \ | |
-CAcreateserial -out cert.pem -extfile extfile-client.cnf | |
rm -v client.csr server.csr extfile.cnf extfile-client.cnf | |
chmod -v 0400 ca-key.pem key.pem server-key.pem | |
chmod -v 0444 ca.pem server-cert.pem cert.pem | |
# | |
# Visit: https://docs.docker.com/config/daemon/#use-the-hosts-key-in-daemon-json-with-systemd | |
# | |
# dockerd --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem -H=0.0.0.0:2376 | |
sudo mkdir /etc/systemd/system/docker.service.d/ | |
touch /etc/systemd/system/docker.service.d/docker.conf | |
sudo bash -c 'echo -e "[Service]\nExecStart=\nExecStart=/usr/bin/dockerd" > /etc/systemd/system/docker.service.d/docker.conf' | |
sudo systemctl daemon-reload | |
echo "Copy ca.pem, cert.pem, key.pem to your local machine" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment