快速创建 TLS 证书并部署到 Docker 服务
将下方代码保存为certbot.sh
,修改头部变量后,上传到装有openssl
组件的linux服务器上运行即可。
#!/bin/sh
#
export PASSWORD="密码"
export COUNTRY="CN"
export STATE="省"
export CITY="市"
export ORGANIZATION="公司名称"
export ORGANIZATIONAL_UNIT="Dev"
export COMMON_NAME="域名"
export EMAIL="电子邮件地址"
export HOST_NAME="$COMMON_NAME"
export IP=`ping $HOST_NAME -c 1 | sed '1{s/[^(]*(//;s/).*//;q}'`
export DIR="cert-$HOST_NAME"
# Workspace
[ -d $DIR ] || mkdir -p $DIR
echo "PASSWORD: $PASSWORD" > $DIR/!nfo.txt
echo "HOST_NAME: $HOST_NAME" >> $DIR/!nfo.txt
echo "HOST_IP: $IP" >> $DIR/!nfo.txt
# Generate CA
openssl genrsa -aes256 -passout "pass:$PASSWORD" -out "$DIR/ca-key.pem" 4096
openssl req -new -x509 -days 3650 -key "$DIR/ca-key.pem" -sha256 -out "$DIR/ca.pem" -passin "pass:$PASSWORD" -subj "/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORGANIZATION/OU=$ORGANIZATIONAL_UNIT/CN=$COMMON_NAME/emailAddress=$EMAIL"
# Generate Server Certs
openssl genrsa -out "$DIR/server-key.pem" 4096
openssl req -subj "/CN=$HOST_NAME" -sha256 -new -key "$DIR/server-key.pem" -out $DIR/server.csr
echo "subjectAltName = DNS:$HOST_NAME,IP:$IP,IP:127.0.0.1" > $DIR/server.cnf
echo "extendedKeyUsage = serverAuth" >> $DIR/server.cnf
openssl x509 -req -days 3650 -sha256 -in $DIR/server.csr -passin "pass:$PASSWORD" -CA "$DIR/ca.pem" -CAkey "$DIR/ca-key.pem" -CAcreateserial -out "$DIR/server-cert.pem" -extfile $DIR/server.cnf
# Generate Client Certs
openssl genrsa -out "$DIR/client-key.pem" 4096
openssl req -subj '/CN=client' -new -key "$DIR/client-key.pem" -out $DIR/client.csr
echo "extendedKeyUsage = clientAuth" > $DIR/client.cnf
openssl x509 -req -days 3650 -sha256 -in $DIR/client.csr -passin "pass:$PASSWORD" -CA "$DIR/ca.pem" -CAkey "$DIR/ca-key.pem" -CAcreateserial -out "$DIR/client-cert.pem" -extfile $DIR/client.cnf
# Modify Certs Permission
chmod 0400 $DIR/*-key.pem
chmod 0444 $DIR/ca.pem $DIR/*-cert.pem
# Remove Temporary Files
rm -f $DIR/*.csr $DIR/*.cnf
如果需要部署到Docker服务,请继续
# Install To Docker Daemon
mkdir -p /etc/docker/certs.d
cp $DIR/ca.pem /etc/docker/certs.d/
cp $DIR/server-*.pem /etc/docker/certs.d/
cat <<EOF >/etc/docker/daemon.json
{
"tlsverify": true,
"tlscacert": "/etc/docker/certs.d/ca.pem",
"tlscert": "/etc/docker/certs.d/server-cert.pem",
"tlskey": "/etc/docker/certs.d/server-key.pem",
"hosts": ["tcp://0.0.0.0:2376", "unix:///var/run/docker.sock"]
}
EOF
# Modify Systemd Service
if [ -f /lib/systemd/system/docker.service ]; then
sed -i 's#\["tcp:#\["fd://", "tcp:#' /etc/docker/daemon.json
sed -i 's# -H fd://##' /lib/systemd/system/docker.service
systemctl daemon-reload && systemctl restart docker
fi
特别注意
在systemd系统上-H
已设置,因此无法使用hosts
键来添加侦听地址,请参阅 https://docs.docker.com/install/linux/linux-postinstall/#configuring-remote-access-with-systemd-unit-file