shabbirh/docker-daemon-make-tls-certs.sh

## docker-daemon-make-tls-certs.sh
#!/bin/bash

if [ "$#" -ne 2 ]; then
    echo "Usage:"
    echo "You must enter exactly 2 command line arguments"
    echo "First the host for which you are generating the certificates"
    echo "Second where you want to store the generated files - everything in that directory will be deleted"
    echo "You should also give the FULLY QUALIFIED PATH for where you want to store the files - e.g. /etc/docker/ssl/certs/location"
    echo "Relative paths will not work at this time"
    echo ""
    echo "THIS IS PROVIDED AS-IS AND MAY OR MAY NOT WORK CORRECT - USE AT YOUR OWN RISK - I TAKE NO RESPONSIBILITY FOR ANY DAMAGE OR PROBLEMS YOU EXPERIENCE IN OR BY USING THIS SCRIPT"
    echo "VERIFY EVERYTHING YOURSELF AND USE ONLY IF CONFIDENT AND COMFORTABLE"
    echo ""
    echo "./generate_tls_certs_for_docker.sh <hostname> <storage_location>"
    exit
fi

HOST=$1
SECURE_STORAGE_PATH=$2
echo =========================================================
echo Generating Server Certs for $HOST will store in $SECURE_STORAGE_PATH
echo =========================================================
rm -rfv $SECURE_STORAGE_PATH
rmdir --ignore-fail-on-non-empty -v $SECURE_STORAGE_PATH
ls -lahR $SECURE_STORAGE_PATH
mkdir $SECURE_STORAGE_PATH
cd $SECURE_STORAGE_PATH
openssl genrsa -aes256 -out ca-key.pem 4096
openssl req -new -x509 -days 3650 -key ca-key.pem -sha256 -out ca.pem
openssl genrsa -out server-key.pem 4096
openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr

IPADD=`ip route get 8.8.8.8 | sed -n '/src/{s/.*src *\([^ ]*\).*/\1/p;q}'`

echo subjectAltName = DNS:$HOST,IP:$IPADD,IP:127.0.0.1 >> $HOST.extfile.cnf

openssl x509 -req -days 36500 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \
  -CAcreateserial -out server-cert.pem -extfile $HOST.extfile.cnf

echo =========================================================
echo Generating Client Certs for access to $HOST
echo =========================================================
openssl genrsa -out client-key.pem 4096
openssl req -subj '/CN=client' -new -key client-key.pem -out client.csr
echo extendedKeyUsage = clientAuth > extfile-client.cnf
openssl x509 -req -days 3650 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \
  -CAcreateserial -out client-cert.pem -extfile extfile-client.cnf

echo =========================================================
echo Cleaning Up
echo =========================================================

rm -v client.csr server.csr $HOST.extfile.cnf extfile-client.cnf

echo =========================================================
echo Instructions
echo =========================================================
ls -lhaR $SECURE_STORAGE_PATH
echo Make sure the Docker Daemon - systemctl edit docker.service - is run
echo with the following:
echo dockerd --tlsverify --tlscacert=$SECURE_STORAGE_PATH/ca.pem --tlscert=$SECURE_STORAGE_PATH/server-cert.pem --tlskey=$SECURE_STORAGE_PATH/server-key.pem -H=0.0.0.0:2376
echo You can connect to the docker daemon with the following:
echo docker --tlsverify --tlscacert=$SECURE_STORAGE_PATH/ca.pem --tlscert=$SECURE_STORAGE_PATH/client-cert.pem --tlskey=$SECURE_STORAGE_PATH/client-key.pem -H=$HOST:2376 version
echo ""
echo "To persist the changes - run:"
echo "$ sudo systemctl edit docker.service"
echo "Edit the file as follows (ensuring any other customisations you have made are not lost):"
echo ""
echo "[Service]
ExecStart=
ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=$SECURE_STORAGE_PATH/ca.pem --tlscert=$SECURE_STORAGE_PATH/server-cert.pem --tlskey=$SECURE_STORAGE_PATH/server-key.pem -H fd:// -H tcp://$IPADD:2376"
echo ""
echo "Once completed - save the changes and restart the daemon:"
echo ""
echo "$ sudo systemctl daemon-reload && sudo systemctl restart docker"
echo ""
echo ""
echo "Ensure all is working by running: "
echo ""
echo "docker --tlsverify --tlscacert=$SECURE_STORAGE_PATH/ca.pem --tlscert=$SECURE_STORAGE_PATH/client-cert.pem --tlskey=$SECURE_STORAGE_PATH/client-key.pem -H=$HOST:2376 version"
echo ""
echo "Enjoy"
	#!/bin/bash

	if [ "$#" -ne 2 ]; then
	echo "Usage:"
	echo "You must enter exactly 2 command line arguments"
	echo "First the host for which you are generating the certificates"
	echo "Second where you want to store the generated files - everything in that directory will be deleted"
	echo "You should also give the FULLY QUALIFIED PATH for where you want to store the files - e.g. /etc/docker/ssl/certs/location"
	echo "Relative paths will not work at this time"
	echo ""
	echo "THIS IS PROVIDED AS-IS AND MAY OR MAY NOT WORK CORRECT - USE AT YOUR OWN RISK - I TAKE NO RESPONSIBILITY FOR ANY DAMAGE OR PROBLEMS YOU EXPERIENCE IN OR BY USING THIS SCRIPT"
	echo "VERIFY EVERYTHING YOURSELF AND USE ONLY IF CONFIDENT AND COMFORTABLE"
	echo ""
	echo "./generate_tls_certs_for_docker.sh <hostname> <storage_location>"
	exit
	fi

	HOST=$1
	SECURE_STORAGE_PATH=$2
	echo =========================================================
	echo Generating Server Certs for $HOST will store in $SECURE_STORAGE_PATH
	echo =========================================================
	rm -rfv $SECURE_STORAGE_PATH
	rmdir --ignore-fail-on-non-empty -v $SECURE_STORAGE_PATH
	ls -lahR $SECURE_STORAGE_PATH
	mkdir $SECURE_STORAGE_PATH
	cd $SECURE_STORAGE_PATH
	openssl genrsa -aes256 -out ca-key.pem 4096
	openssl req -new -x509 -days 3650 -key ca-key.pem -sha256 -out ca.pem
	openssl genrsa -out server-key.pem 4096
	openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr

	IPADD=`ip route get 8.8.8.8 \| sed -n '/src/{s/.src \([^ ]\)./\1/p;q}'`

	echo subjectAltName = DNS:$HOST,IP:$IPADD,IP:127.0.0.1 >> $HOST.extfile.cnf

	openssl x509 -req -days 36500 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \
	-CAcreateserial -out server-cert.pem -extfile $HOST.extfile.cnf

	echo =========================================================
	echo Generating Client Certs for access to $HOST
	echo =========================================================
	openssl genrsa -out client-key.pem 4096
	openssl req -subj '/CN=client' -new -key client-key.pem -out client.csr
	echo extendedKeyUsage = clientAuth > extfile-client.cnf
	openssl x509 -req -days 3650 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \
	-CAcreateserial -out client-cert.pem -extfile extfile-client.cnf

	echo =========================================================
	echo Cleaning Up
	echo =========================================================

	rm -v client.csr server.csr $HOST.extfile.cnf extfile-client.cnf

	echo =========================================================
	echo Instructions
	echo =========================================================
	ls -lhaR $SECURE_STORAGE_PATH
	echo Make sure the Docker Daemon - systemctl edit docker.service - is run
	echo with the following:
	echo dockerd --tlsverify --tlscacert=$SECURE_STORAGE_PATH/ca.pem --tlscert=$SECURE_STORAGE_PATH/server-cert.pem --tlskey=$SECURE_STORAGE_PATH/server-key.pem -H=0.0.0.0:2376
	echo You can connect to the docker daemon with the following:
	echo docker --tlsverify --tlscacert=$SECURE_STORAGE_PATH/ca.pem --tlscert=$SECURE_STORAGE_PATH/client-cert.pem --tlskey=$SECURE_STORAGE_PATH/client-key.pem -H=$HOST:2376 version
	echo ""
	echo "To persist the changes - run:"
	echo "$ sudo systemctl edit docker.service"
	echo "Edit the file as follows (ensuring any other customisations you have made are not lost):"
	echo ""
	echo "[Service]
	ExecStart=
	ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=$SECURE_STORAGE_PATH/ca.pem --tlscert=$SECURE_STORAGE_PATH/server-cert.pem --tlskey=$SECURE_STORAGE_PATH/server-key.pem -H fd:// -H tcp://$IPADD:2376"
	echo ""
	echo "Once completed - save the changes and restart the daemon:"
	echo ""
	echo "$ sudo systemctl daemon-reload && sudo systemctl restart docker"
	echo ""
	echo ""
	echo "Ensure all is working by running: "
	echo ""
	echo "docker --tlsverify --tlscacert=$SECURE_STORAGE_PATH/ca.pem --tlscert=$SECURE_STORAGE_PATH/client-cert.pem --tlskey=$SECURE_STORAGE_PATH/client-key.pem -H=$HOST:2376 version"
	echo ""
	echo "Enjoy"