armarti · July 18, 2019 03:47
diff --git a/generate_client_cert.sh b/generate_client_cert.sh
 #!/usr/bin/env bash
 # https://docs.docker.com/engine/security/https/#daemon-modes
 set -eo pipefail

 if [ $UID -ne 0 ]; then
    echo "You must run this script as root."
    exit 1
 fi

 CLNT_HOST="$1"
 CLNT_IP="$2"
 SRV_HOST="$3"
 SRV_PORT="$4"
 THIS_FILE="$( realpath "${BASH_SOURCE[0]}" )"
 THIS_BNAME="$( basename "$THIS_FILE" )"

 if [[ "$CLNT_HOST" == "" ]] || \
   [[ "$CLNT_IP" == "" ]] || \
   [[ "$SRV_HOST" == "" ]] || \
   [[ "$SRV_PORT" == "" ]] || \
   [[ $SRV_PORT -lt 1 ]] || \
   [[ "$CLNT_HOST" == '\-h' ]] || \
   [[ "$CLNT_HOST" == '\-\-help' ]]
 then
    echo -e "\n\tUSAGE: $THIS_BNAME [ -h | --help ] <CLNT_HOST> <CLNT_IP> <SERVER_HOST> <SERVER_PORT>\n"
    exit 1
 fi

 CERTS_D_DIR=/etc/docker/certs.d
 CRT_SUBDIR="${SRV_HOST}:$SRV_PORT"
 CRT_DIR="$CERTS_D_DIR/$CRT_SUBDIR"
 PVT_DIR="$CRT_DIR/private"
 CA="$CRT_DIR/ca.crt"
 CA_KEY="$CRT_DIR/ca.key"
 SRV_CRT="$PVT_DIR/server.crt"

 MISSING=''
 if [ ! -f "$CA" ]; then MISSING='CA';
 elif [ ! -f "$CA_KEY" ]; then MISSING='CA key';
 elif [ ! -f "$SRV_CRT" ]; then MISSING='server certificate';
 fi
 if [ -n "$MISSING" ]; then
    echo "Missing the ${MISSING}. Exiting."
    exit 2
 fi

 CLNT_EXT="$CRT_DIR/${CLNT_HOST}-extfile.conf"
 CLNT_CSR="$CRT_DIR/${CLNT_HOST}.csr"
 CLNT_KEY="$CRT_DIR/${CLNT_HOST}.key"
 CLNT_CRT="$CRT_DIR/${CLNT_HOST}.crt"

 openssl rand -writerand /root/.rnd
 echo 'extendedKeyUsage = clientAuth' > "$CLNT_EXT"
 openssl genrsa -out "$CLNT_KEY" 4096
 openssl req -subj "/CN=$CLNT_HOST" -new -key "$CLNT_KEY" -out "$CLNT_CSR"
 openssl x509 -req -days 365 -sha256 -in "$CLNT_CSR" -CA "$CA" -CAkey "$CA_KEY" -CAcreateserial -out "$CLNT_CRT" -extfile "$CLNT_EXT"
 rm "$CLNT_CSR" "$CLNT_EXT"
 chmod 0400 "$CLNT_KEY"
 chmod 0444 "$CLNT_CRT"

 SRV_HOST_NODASH="$( echo "${SRV_HOST}" | sed 's/\-/_/g' )"
 echo -e "\nNew TLS certs are in '$CRT_DIR'."
 echo -e "Run these commands from the client:\n"
 echo "mkdir -p ~/.docker/$CRT_SUBDIR/ && \\"
 echo "  scp \"${USER:-root}@$(hostname):$CA\" ~/.docker/$CRT_SUBDIR/ca.pem && \\"
 echo "  scp \"${USER:-root}@$(hostname):$SRV_CRT\" ~/.docker/$CRT_SUBDIR/server.crt && \\"
 echo "  scp \"${USER:-root}@$(hostname):$CLNT_CRT\" ~/.docker/$CRT_SUBDIR/cert.pem && \\"
 echo "  scp \"${USER:-root}@$(hostname):$CLNT_KEY\" ~/.docker/$CRT_SUBDIR/key.pem"
 echo "echo 'function docker_host_init_${SRV_HOST_NODASH}_${SRV_PORT}() {
    export DOCKER_HOST=tcp://${SRV_HOST}:${SRV_PORT}
    export DOCKER_TLS_VERIFY=1
    export DOCKER_CERT_PATH=\"\$HOME/.docker/$CRT_SUBDIR\"
 }' >> ~/.bashrc && \\"
 echo "echo 'function docker_host_init_${SRV_HOST_NODASH}_${SRV_PORT} -d \"Set Docker host to ${SRV_HOST}:${SRV_PORT}\"
    set -gx DOCKER_HOST tcp://${SRV_HOST}:${SRV_PORT}
    set -gx DOCKER_TLS_VERIFY 1
    set -gx DOCKER_CERT_PATH \"\$HOME/.docker/$CRT_SUBDIR\"
 end' >> ~/.config/fish/config.fish"
 echo

 exit 0
diff --git a/generate_server_cert.sh b/generate_server_cert.sh
 #!/usr/bin/env bash
 # https://docs.docker.com/engine/security/certificates/
 set -eo pipefail

 if [ $UID -ne 0 ]; then
    echo "You must run this script as root."
    exit 1
 fi

 SRV_HOST="$1"
 SRV_PORT="$2"
 SRV_IP="$3"
 THIS_FILE="$( realpath "${BASH_SOURCE[0]}" )"
 THIS_BNAME="$( basename "$THIS_FILE" )"

 if [[ "$SRV_HOST" == "" ]] || \
   [[ "$SRV_PORT" == "" ]] || \
   [[ $SRV_PORT -lt 1 ]] || \
   [[ "$SRV_IP" == "" ]] || \
   [[ "$SRV_HOST" == '\-h' ]] || \
   [[ "$SRV_HOST" == '\-\-help' ]]
 then
    echo -e "\n\tUSAGE: $THIS_BNAME [ -h | --help ] <SERVER_HOSTNAME> <SERVER_PORT> <SERVER_IP>\n"
    exit 1
 fi

 CERTS_D_DIR=/etc/docker/certs.d
 CRT_DIR="$CERTS_D_DIR/${SRV_HOST}:${SRV_PORT}"
 PVT_DIR="$CRT_DIR/private"
 mkdir -p "$PVT_DIR"

 CA="$CRT_DIR/ca.crt"
 CA_KEY="$CRT_DIR/ca.key"
 SRV_CRT="$PVT_DIR/server.crt"
 SRV_KEY="$PVT_DIR/server.key"
 SRV_EXT="$PVT_DIR/server-extfile.conf"
 SRV_CSR="$PVT_DIR/server.csr"

 openssl rand -writerand /root/.rnd
 openssl genrsa -aes256 -out "$CA_KEY" 4096
 openssl req -new -x509 -days 365 \
    -subj "/C=AQ/ST=Adelie Land/L=Dumont DUrville/O=Armarti Industries/CN=$SRV_HOST/OU=homeserver" \
    -key "$CA_KEY" -sha256 -out "$CA"
 echo HERE
 echo "subjectAltName = DNS:$SRV_HOST,IP:$SRV_IP,IP:127.0.0.1" > "$SRV_EXT"
 echo 'extendedKeyUsage = serverAuth' >> "$SRV_EXT"
 openssl genrsa -out "$SRV_KEY" 4096
 openssl req -subj "/CN=$SRV_HOST" -new -key "$SRV_KEY" -out "$SRV_CSR"
 openssl x509 -req -days 365 -sha256 -in "$SRV_CSR" -CA "$CA" -CAkey "$CA_KEY" -CAcreateserial -out "$SRV_CRT" -extfile "$SRV_EXT"
 rm "$SRV_CSR" "$SRV_EXT"
 chmod 0400 "$SRV_KEY" "$CA_KEY"
 chmod 0444 "$SRV_CRT" "$CA"

 echo -e "\nNew server TLS certs:"
 echo "> '$CRT_DIR'"
 ls -Flash "$CRT_DIR"
 echo "> '$PVT_DIR'"
 ls -Flash "$PVT_DIR"
 echo

 exit 0
	#!/usr/bin/env bash
	# https://docs.docker.com/engine/security/https/#daemon-modes
	set -eo pipefail

	if [ $UID -ne 0 ]; then
	echo "You must run this script as root."
	exit 1
	fi

	CLNT_HOST="$1"
	CLNT_IP="$2"
	SRV_HOST="$3"
	SRV_PORT="$4"
	THIS_FILE="$( realpath "${BASH_SOURCE[0]}" )"
	THIS_BNAME="$( basename "$THIS_FILE" )"

	if [[ "$CLNT_HOST" == "" ]] \|\| \
	[[ "$CLNT_IP" == "" ]] \|\| \
	[[ "$SRV_HOST" == "" ]] \|\| \
	[[ "$SRV_PORT" == "" ]] \|\| \
	[[ $SRV_PORT -lt 1 ]] \|\| \
	[[ "$CLNT_HOST" == '\-h' ]] \|\| \
	[[ "$CLNT_HOST" == '\-\-help' ]]
	then
	echo -e "\n\tUSAGE: $THIS_BNAME [ -h \| --help ] <CLNT_HOST> <CLNT_IP> <SERVER_HOST> <SERVER_PORT>\n"
	exit 1
	fi

	CERTS_D_DIR=/etc/docker/certs.d
	CRT_SUBDIR="${SRV_HOST}:$SRV_PORT"
	CRT_DIR="$CERTS_D_DIR/$CRT_SUBDIR"
	PVT_DIR="$CRT_DIR/private"
	CA="$CRT_DIR/ca.crt"
	CA_KEY="$CRT_DIR/ca.key"
	SRV_CRT="$PVT_DIR/server.crt"

	MISSING=''
	if [ ! -f "$CA" ]; then MISSING='CA';
	elif [ ! -f "$CA_KEY" ]; then MISSING='CA key';
	elif [ ! -f "$SRV_CRT" ]; then MISSING='server certificate';
	fi
	if [ -n "$MISSING" ]; then
	echo "Missing the ${MISSING}. Exiting."
	exit 2
	fi

	CLNT_EXT="$CRT_DIR/${CLNT_HOST}-extfile.conf"
	CLNT_CSR="$CRT_DIR/${CLNT_HOST}.csr"
	CLNT_KEY="$CRT_DIR/${CLNT_HOST}.key"
	CLNT_CRT="$CRT_DIR/${CLNT_HOST}.crt"

	openssl rand -writerand /root/.rnd
	echo 'extendedKeyUsage = clientAuth' > "$CLNT_EXT"
	openssl genrsa -out "$CLNT_KEY" 4096
	openssl req -subj "/CN=$CLNT_HOST" -new -key "$CLNT_KEY" -out "$CLNT_CSR"
	openssl x509 -req -days 365 -sha256 -in "$CLNT_CSR" -CA "$CA" -CAkey "$CA_KEY" -CAcreateserial -out "$CLNT_CRT" -extfile "$CLNT_EXT"
	rm "$CLNT_CSR" "$CLNT_EXT"
	chmod 0400 "$CLNT_KEY"
	chmod 0444 "$CLNT_CRT"

	SRV_HOST_NODASH="$( echo "${SRV_HOST}" \| sed 's/\-/_/g' )"
	echo -e "\nNew TLS certs are in '$CRT_DIR'."
	echo -e "Run these commands from the client:\n"
	echo "mkdir -p ~/.docker/$CRT_SUBDIR/ && \\"
	echo " scp \"${USER:-root}@$(hostname):$CA\" ~/.docker/$CRT_SUBDIR/ca.pem && \\"
	echo " scp \"${USER:-root}@$(hostname):$SRV_CRT\" ~/.docker/$CRT_SUBDIR/server.crt && \\"
	echo " scp \"${USER:-root}@$(hostname):$CLNT_CRT\" ~/.docker/$CRT_SUBDIR/cert.pem && \\"
	echo " scp \"${USER:-root}@$(hostname):$CLNT_KEY\" ~/.docker/$CRT_SUBDIR/key.pem"
	echo "echo 'function docker_host_init_${SRV_HOST_NODASH}_${SRV_PORT}() {
	export DOCKER_HOST=tcp://${SRV_HOST}:${SRV_PORT}
	export DOCKER_TLS_VERIFY=1
	export DOCKER_CERT_PATH=\"\$HOME/.docker/$CRT_SUBDIR\"
	}' >> ~/.bashrc && \\"
	echo "echo 'function docker_host_init_${SRV_HOST_NODASH}_${SRV_PORT} -d \"Set Docker host to ${SRV_HOST}:${SRV_PORT}\"
	set -gx DOCKER_HOST tcp://${SRV_HOST}:${SRV_PORT}
	set -gx DOCKER_TLS_VERIFY 1
	set -gx DOCKER_CERT_PATH \"\$HOME/.docker/$CRT_SUBDIR\"
	end' >> ~/.config/fish/config.fish"
	echo

	exit 0