shabbirh · October 27, 2019 15:11
diff --git a/docker-daemon-make-tls-certs.sh b/docker-daemon-make-tls-certs.sh
 #!/bin/bash

 if [ "$#" -ne 2 ]; then
    echo "Usage:"
    echo "You must enter exactly 2 command line arguments"
    echo "First the host for which you are generating the certificates"
    echo "Second where you want to store the generated files - everything in that directory will be deleted"
    echo "You should also give the FULLY QUALIFIED PATH for where you want to store the files - e.g. /etc/docker/ssl/certs/location"
    echo "Relative paths will not work at this time"
    echo ""
    echo "THIS IS PROVIDED AS-IS AND MAY OR MAY NOT WORK CORRECT - USE AT YOUR OWN RISK - I TAKE NO RESPONSIBILITY FOR ANY DAMAGE OR PROBLEMS YOU EXPERIENCE IN OR BY USING THIS SCRIPT"
    echo "VERIFY EVERYTHING YOURSELF AND USE ONLY IF CONFIDENT AND COMFORTABLE"
    echo ""
    echo "./generate_tls_certs_for_docker.sh <hostname> <storage_location>"
    exit
 fi

 HOST=$1
 SECURE_STORAGE_PATH=$2
 echo =========================================================
 echo Generating Server Certs for $HOST will store in $SECURE_STORAGE_PATH
 echo =========================================================
 rm -rfv $SECURE_STORAGE_PATH
 rmdir --ignore-fail-on-non-empty -v $SECURE_STORAGE_PATH
 ls -lahR $SECURE_STORAGE_PATH
 mkdir $SECURE_STORAGE_PATH
 cd $SECURE_STORAGE_PATH
 openssl genrsa -aes256 -out ca-key.pem 4096
 openssl req -new -x509 -days 3650 -key ca-key.pem -sha256 -out ca.pem
 openssl genrsa -out server-key.pem 4096
 openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr

 IPADD=`ip route get 8.8.8.8 | sed -n '/src/{s/.*src *\([^ ]*\).*/\1/p;q}'`

 echo subjectAltName = DNS:$HOST,IP:$IPADD,IP:127.0.0.1 >> $HOST.extfile.cnf

 openssl x509 -req -days 36500 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \
  -CAcreateserial -out server-cert.pem -extfile $HOST.extfile.cnf

 echo =========================================================
 echo Generating Client Certs for access to $HOST
 echo =========================================================
 openssl genrsa -out client-key.pem 4096
 openssl req -subj '/CN=client' -new -key client-key.pem -out client.csr
 echo extendedKeyUsage = clientAuth > extfile-client.cnf
 openssl x509 -req -days 3650 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \
  -CAcreateserial -out client-cert.pem -extfile extfile-client.cnf

 echo =========================================================
 echo Cleaning Up
 echo =========================================================

 rm -v client.csr server.csr $HOST.extfile.cnf extfile-client.cnf

 echo =========================================================
 echo Instructions 
 echo =========================================================
 ls -lhaR $SECURE_STORAGE_PATH
 echo Make sure the Docker Daemon - systemctl edit docker.service - is run
 echo with the following:
 echo dockerd --tlsverify --tlscacert=$SECURE_STORAGE_PATH/ca.pem --tlscert=$SECURE_STORAGE_PATH/server-cert.pem --tlskey=$SECURE_STORAGE_PATH/server-key.pem -H=0.0.0.0:2376
 echo You can connect to the docker daemon with the following:
 echo docker --tlsverify --tlscacert=$SECURE_STORAGE_PATH/ca.pem --tlscert=$SECURE_STORAGE_PATH/client-cert.pem --tlskey=$SECURE_STORAGE_PATH/client-key.pem -H=$HOST:2376 version
 echo ""
 echo "To persist the changes - run:"
 echo "$ sudo systemctl edit docker.service"
 echo "Edit the file as follows (ensuring any other customisations you have made are not lost):"
 echo ""
 echo "[Service]
 ExecStart=
 ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=$SECURE_STORAGE_PATH/ca.pem --tlscert=$SECURE_STORAGE_PATH/server-cert.pem --tlskey=$SECURE_STORAGE_PATH/server-key.pem -H fd:// -H tcp://$IPADD:2376"
 echo ""
 echo "Once completed - save the changes and restart the daemon:"
 echo ""
 echo "$ sudo systemctl daemon-reload && sudo systemctl restart docker"
 echo ""
 echo ""
 echo "Ensure all is working by running: "
 echo ""
 echo "docker --tlsverify --tlscacert=$SECURE_STORAGE_PATH/ca.pem --tlscert=$SECURE_STORAGE_PATH/client-cert.pem --tlskey=$SECURE_STORAGE_PATH/client-key.pem -H=$HOST:2376 version"
 echo ""
 echo "Enjoy"
	#!/bin/bash

	if [ "$#" -ne 2 ]; then
	echo "Usage:"
	echo "You must enter exactly 2 command line arguments"
	echo "First the host for which you are generating the certificates"
	echo "Second where you want to store the generated files - everything in that directory will be deleted"
	echo "You should also give the FULLY QUALIFIED PATH for where you want to store the files - e.g. /etc/docker/ssl/certs/location"
	echo "Relative paths will not work at this time"
	echo ""
	echo "THIS IS PROVIDED AS-IS AND MAY OR MAY NOT WORK CORRECT - USE AT YOUR OWN RISK - I TAKE NO RESPONSIBILITY FOR ANY DAMAGE OR PROBLEMS YOU EXPERIENCE IN OR BY USING THIS SCRIPT"
	echo "VERIFY EVERYTHING YOURSELF AND USE ONLY IF CONFIDENT AND COMFORTABLE"
	echo ""
	echo "./generate_tls_certs_for_docker.sh <hostname> <storage_location>"
	exit
	fi

	HOST=$1
	SECURE_STORAGE_PATH=$2
	echo =========================================================
	echo Generating Server Certs for $HOST will store in $SECURE_STORAGE_PATH
	echo =========================================================
	rm -rfv $SECURE_STORAGE_PATH
	rmdir --ignore-fail-on-non-empty -v $SECURE_STORAGE_PATH
	ls -lahR $SECURE_STORAGE_PATH
	mkdir $SECURE_STORAGE_PATH
	cd $SECURE_STORAGE_PATH
	openssl genrsa -aes256 -out ca-key.pem 4096
	openssl req -new -x509 -days 3650 -key ca-key.pem -sha256 -out ca.pem
	openssl genrsa -out server-key.pem 4096
	openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr

	IPADD=`ip route get 8.8.8.8 \| sed -n '/src/{s/.src \([^ ]\)./\1/p;q}'`

	echo subjectAltName = DNS:$HOST,IP:$IPADD,IP:127.0.0.1 >> $HOST.extfile.cnf

	openssl x509 -req -days 36500 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \
	-CAcreateserial -out server-cert.pem -extfile $HOST.extfile.cnf

	echo =========================================================
	echo Generating Client Certs for access to $HOST
	echo =========================================================
	openssl genrsa -out client-key.pem 4096
	openssl req -subj '/CN=client' -new -key client-key.pem -out client.csr
	echo extendedKeyUsage = clientAuth > extfile-client.cnf
	openssl x509 -req -days 3650 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \
	-CAcreateserial -out client-cert.pem -extfile extfile-client.cnf

	echo =========================================================
	echo Cleaning Up
	echo =========================================================

	rm -v client.csr server.csr $HOST.extfile.cnf extfile-client.cnf

	echo =========================================================
	echo Instructions
	echo =========================================================
	ls -lhaR $SECURE_STORAGE_PATH
	echo Make sure the Docker Daemon - systemctl edit docker.service - is run
	echo with the following:
	echo dockerd --tlsverify --tlscacert=$SECURE_STORAGE_PATH/ca.pem --tlscert=$SECURE_STORAGE_PATH/server-cert.pem --tlskey=$SECURE_STORAGE_PATH/server-key.pem -H=0.0.0.0:2376
	echo You can connect to the docker daemon with the following:
	echo docker --tlsverify --tlscacert=$SECURE_STORAGE_PATH/ca.pem --tlscert=$SECURE_STORAGE_PATH/client-cert.pem --tlskey=$SECURE_STORAGE_PATH/client-key.pem -H=$HOST:2376 version
	echo ""
	echo "To persist the changes - run:"
	echo "$ sudo systemctl edit docker.service"
	echo "Edit the file as follows (ensuring any other customisations you have made are not lost):"
	echo ""
	echo "[Service]
	ExecStart=
	ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=$SECURE_STORAGE_PATH/ca.pem --tlscert=$SECURE_STORAGE_PATH/server-cert.pem --tlskey=$SECURE_STORAGE_PATH/server-key.pem -H fd:// -H tcp://$IPADD:2376"
	echo ""
	echo "Once completed - save the changes and restart the daemon:"
	echo ""
	echo "$ sudo systemctl daemon-reload && sudo systemctl restart docker"
	echo ""
	echo ""
	echo "Ensure all is working by running: "
	echo ""
	echo "docker --tlsverify --tlscacert=$SECURE_STORAGE_PATH/ca.pem --tlscert=$SECURE_STORAGE_PATH/client-cert.pem --tlskey=$SECURE_STORAGE_PATH/client-key.pem -H=$HOST:2376 version"
	echo ""
	echo "Enjoy"