Skip to content

Instantly share code, notes, and snippets.

@zero5100
Forked from mac2000/create-docker-tls.sh
Created March 1, 2018 00:57
Show Gist options
  • Save zero5100/2d3724326f81655b652a4e5c2964b228 to your computer and use it in GitHub Desktop.
Save zero5100/2d3724326f81655b652a4e5c2964b228 to your computer and use it in GitHub Desktop.
Creating and setting up Docker for TLS
#!/bin/bash
# At the end you will have 6 files:
# ca/ca.pem - used by both client and server to verify each other certificates
# ca/ca-key.pem - keep it in secret it may be used to generate new certificates
# client/cert.pem, client/key.pem - in conjunction with /ca/ca.pem will be used by client to speak with server
# server/cert.pem, server/key.pem - in conjunction with /ca/ca.pem will be used by server
#
# NOTICE: DO NOT FORGET to set your **Server** ip and dns in server/openssl.cnf each time you generating new server certificates
#
# Original: http://tech.paulcz.net/2016/01/secure-docker-with-tls/
echo "Certificate Authority"
echo "---------------------"
echo
mkdir -p ca
openssl genrsa -out ca/ca-key.pem 2048
openssl req -x509 -new -nodes -key ca/ca-key.pem -days 3650 -out ca/ca.pem -subj '/CN=ca'
echo "Client Certificates"
echo "-------------------"
echo
mkdir -p client
cat << EOF | tee -a client/openssl.cnf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
EOF
openssl genrsa -out client/key.pem 2048
openssl req -new -key client/key.pem -out client/cert.csr -subj '/CN=client' -config client/openssl.cnf
openssl x509 -req -in client/cert.csr -CA ca/ca.pem -CAkey ca/ca-key.pem -CAcreateserial -out client/cert.pem -days 3650 -extensions v3_req -extfile client/openssl.cnf
rm -f server/cert.csr server/openssl.cnf
echo "Server Certificates"
echo "-------------------"
echo
mkdir -p server
cat << EOF | tee -a server/openssl.cnf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = docker.rabota.local
IP.1 = 192.168.4.21
IP.2 = 127.0.0.1
EOF
openssl genrsa -out server/key.pem 2048
openssl req -new -key server/key.pem -out server/cert.csr -subj "/CN=server" -config server/openssl.cnf
openssl x509 -req -in server/cert.csr -CA ca/ca.pem -CAkey ca/ca-key.pem -CAcreateserial -out server/cert.pem -days 3650 -extensions v3_req -extfile server/openssl.cnf
rm -f server/cert.csr server/openssl.cnf
@zero5100
Copy link
Author

zero5100 commented Mar 1, 2018

Usage Notes (Thank you to original authors!)


  1. On a dev machine, create a new folder to hold the certs and cd into it
  2. wget the script into the new folder and make it executable
  3. Change the [alt_names] section of the script to match the remote docker server (where the docker daemon is running)
  4. Run the script
  5. Run the following commands to set up the local dev env (replace $USER and docker-server with the remote user and remote server name)

On the local machine

mkdir ~/.docker/
cp {ca/ca.pem,client/cert.pem,client/key.pem} ~/.docker/
chmod 444 {~/.docker/ca.pem,~/.docker/cert.pem} && chmod 400 ~/.docker/key.pem
scp {ca/ca.pem,server/cert.pem,server/key.pem} $USER@docker-server:/home/$USER/server-certs

On the remote host (docker-server)

sudo cp {~/server-certs/ca.pem,~/server-certs/cert.pem,~/server-certs/key.pem} /etc/docker
sudo chmod 444 {/etc/docker/ca.pem,/etc/docker/cert.pem} && sudo chmod 400 /etc/docker/key.pem
rm -rf ~/server-certs/

Test the connection

DOCKER_HOST=tcp://docker-server:2376 DOCKER_TLS_VERIFY=1 DOCKER_CERT_PATH=~/.docker/ docker info

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment