Skip to content

Instantly share code, notes, and snippets.

@milolav
Created April 9, 2020 18:33
Show Gist options
  • Save milolav/3f70461370e0c84944f24c3d704007c1 to your computer and use it in GitHub Desktop.
Save milolav/3f70461370e0c84944f24c3d704007c1 to your computer and use it in GitHub Desktop.
Simple script to create certificates for Docker daemon http socket. Certificates will be created in /etc/docker/certs dir, and /lib/systemd/system/docker.service will be edited to enable secure socket
#!/bin/sh
set -e
## Script to create certificates required for secure communication over https
## https://docs.docker.com/engine/security/https/
HOST=`hostname`
SUFFIX=`sed -n 's/^search \([^ ]*\).*/\1/p' /etc/resolv.conf`
SAN="IP:127.0.0.1"
if [ $HOST ]; then
SAN=$SAN,DNS:$HOST
FQDN=$HOST
fi
if [ $HOST ] && [ $SUFFIX ]; then
SAN=$SAN,DNS:$HOST.$SUFFIX
FQDN=$FQDN.$SUFFIX
fi
DO_ALL=''
DO_CA=''
DO_SERVER=''
DO_CLIENT=''
DO_SERVICE=''
CLIENT_NAME="Client"
if [ $# -eq 0 ]; then
DO_ALL=1
fi
while [ $# -gt 0 ]; do
case "$1" in
--all)
DO_ALL=1
;;
--ca)
DO_CA=1
;;
--client=*)
DO_CLIENT=1
CLIENT_NAME="$CLIENT_NAME ${1#*=}"
;;
--client)
DO_CLIENT=1
;;
--server)
DO_SERVER=1
;;
--service)
DO_SERVICE=1
;;
*)
echo "Illegal option $1"
exit
;;
esac
shift
done
_gen_ca() {
if [ -f ca.pem ] || [ -f ca.key ]; then
echo "Error! CA already exists. "
exit 1
fi
openssl req -x509 -nodes -days 3650 -sha256 -newkey rsa:4096 -keyout ca.key -out ca.pem -subj "/CN=Docker ($FQDN) CA"
}
_gen_server() {
if [ ! -f ca.pem ] || [ ! -f ca.key ]; then
echo "Error! CA is missing, please create CA first."
exit 1
fi
if [ -f server.key ]; then
echo "Error! Server certificate already exists."
exit 1
fi
openssl req -nodes -new -keyout server.key -out server.csr -subj "/CN=Docker ($FQDN) Server"
echo subjectAltName = DNS:$HOST,DNS:$FQDN,IP:127.0.0.1 > extfile-server.conf
echo extendedKeyUsage = serverAuth >>extfile-server.conf
openssl x509 -req -in server.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out server.pem -days 365 -sha256 -extfile extfile-server.conf
rm server.csr
rm extfile-server.conf
}
_gen_client() {
if [ ! -f ca.pem ] || [ ! -f ca.key ]; then
echo "Error! CA is missing, please create CA first."
exit 1
fi
FILENAME=`echo $CLIENT_NAME | tr '[:upper:]' '[:lower:]' | tr ' ' '_'`
if [ -f $FILENAME.key ]; then
echo "Error! Certificate for $CLIENT_NAME already exists."
exit 1
fi
openssl req -nodes -new -keyout $FILENAME.key -out $FILENAME.csr -subj "/CN=Docker ($FQDN) $CLIENT_NAME"
echo extendedKeyUsage = clientAuth > extfile-client.conf
openssl x509 -req -in $FILENAME.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out $FILENAME.pem -days 365 -sha256 -extfile extfile-client.conf
chmod 0644 $FILENAME.key
rm $FILENAME.csr
rm extfile-client.conf
}
_update_service() {
if grep -q "^ExecStart=.*-H tcp:" /lib/systemd/system/docker.service; then
echo "Error! Docker service already has tcp host set"
exit 1
fi
ADDARGS="-H tcp://0.0.0.0:2376 --tlsverify --tlscacert=$PWD/ca.pem --tlscert=$PWD/server.pem --tlskey=$PWD/server.key"
echo "Updating docker service"
sed -i "s|^ExecStart=.*|\0 $ADDARGS|" /lib/systemd/system/docker.service
echo "Reloading systemctl daemon"
systemctl daemon-reload
echo "Restating docker"
systemctl restart docker
}
_all() {
_gen_ca
_gen_server
_gen_client
_update_service
exit
}
CERTDIR=/etc/docker/certs
if [ ! -d "$CERTDIR" ]; then
mkdir $CERTDIR
fi
cd $CERTDIR
[ $DO_ALL ] && _all
[ $DO_CA ] && _gen_ca
[ $DO_SERVER ] && _gen_server
[ $DO_CLIENT ] && _gen_client
[ $DO_SERVICE ] && _update_service
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment