参考地址1
参考地址2
1.脚本内容
#!/bin/bash
# @author zxk175
#============================================#
# 下面为证书密钥及相关信息配置,注意修改 #
#============================================#
IP="服务器外网IP"
IN_IP="127.0.0.1"
ZERO_IP="0.0.0.0"
PORT="2376"
CODE="证书后缀"
PASSWORD="证书密码"
COUNTRY="CN"
STATE="GD"
CITY="SZ"
ORGANIZATION="组织名称"
ORGANIZATIONAL_UNIT="Dev"
COMMON_NAME="$IP"
EMAIL="邮箱"
SUBJ="/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORGANIZATION/OU=$ORGANIZATIONAL_UNIT/CN=$COMMON_NAME/emailAddress=$EMAIL"
# 创建目录
if [ ! -d "/etc/docker/certs.d/" ];then
mkdir /etc/docker/certs.d
else
echo "/etc/docker/certs.d/ 文件夹已经存在"
fi
HD=~/.docker/
if [ ! -d "$HD" ];then
mkdir ~/.docker
else
echo "$HD 文件夹已经存在"
fi
CE=~/certs
if [ ! -d "$CE" ];then
mkdir ~/certs
else
echo "$CE 文件夹已经存在"
fi
echo -e "\n"
# 如果目录已经存在则清空目录中已存在的信息
rm -rf /etc/docker/certs.d/*
rm -rf ~/.docker/*
rm -rf ~/certs/*
cd ~/certs
# 1.生成根证书RSA私钥,PASSWORD作为私钥文件的密码
openssl genrsa -aes256 -passout "pass:$PASSWORD" -out "ca-key-$CODE.pem" 4096
# 2.用根证书RSA私钥生成自签名的根证书
openssl req -new -x509 -days 365 -key "ca-key-$CODE.pem" -sha256 -out "ca.pem" -passin "pass:$PASSWORD" -subj "$SUBJ"
echo -e "\n\e[1;31m============================================\e[0m"
echo -e "\e[1;31m 用根证书签发server端证书 \e[0m"
echo -e "\e[1;31m============================================\e[0m"
# 3.生成服务端私钥"
openssl genrsa -out "server-key-$CODE.pem" 4096
# 4.生成服务端证书请求文件"
openssl req -subj "/CN=$COMMON_NAME" -sha256 -new -key "server-key-$CODE.pem" -out server.csr
# 5.使tls连接能通过ip地址方式,绑定IP"
echo subjectAltName = IP:127.0.0.1,IP:$IP > extfile.cnf
echo extendedKeyUsage = serverAuth >> extfile.cnf
echo -e "\n\e[1;32mserver extfile.cnf内容\e[0m"
cat extfile.cnf
echo -e "\n"
# 6.使用根证书签发服务端证书
openssl x509 -req -days 365 -sha256 -in server.csr -passin "pass:$PASSWORD" -CA "ca.pem" -CAkey "ca-key-$CODE.pem" -CAcreateserial -out "server-cert-$CODE.pem" -extfile extfile.cnf
echo -e "\n\e[1;31m============================================\e[0m"
echo -e "\e[1;31m 用根证书签发client端证书 \e[0m"
echo -e "\e[1;31m============================================\e[0m"
# 7.生成客户端私钥
openssl genrsa -out "client-key-$CODE.pem" 4096
# 8.生成客户端证书请求文件
openssl req -subj '/CN=client' -new -key "client-key-$CODE.pem" -out client.csr
# 9.客户端证书配置文件
echo extendedKeyUsage = clientAuth > extfile.cnf
echo -e "\n\e[1;32mclient extfile.cnf内容\e[0m"
cat extfile.cnf
echo -e "\n"
# 10.使用根证书签发客户端证书
openssl x509 -req -days 365 -sha256 -in client.csr -passin "pass:$PASSWORD" -CA "ca.pem" -CAkey "ca-key-$CODE.pem" -CAcreateserial -out "client-cert-$CODE.pem" -extfile extfile.cnf
# 11.设置私钥权限为只读
chmod -v 0400 "ca-key-$CODE.pem" "client-key-$CODE.pem" "server-key-$CODE.pem"
chmod -v 0444 "ca.pem" "server-cert-$CODE.pem" "client-cert-$CODE.pem"
#============================================#
# 清理 #
#============================================#
# 删除临时文件
rm -f ca.srl client.csr server.csr extfile.cnf
# 打包客户端证书
mkdir -p "tls-client-certs-$CODE"
cp -f "ca.pem" "client-cert-$CODE.pem" "client-key-$CODE.pem" "tls-client-certs-$CODE/"
cd "tls-client-certs-$CODE"
# 修改pem名字 否则Idea无法识别pem
mv "client-key-$CODE.pem" key.pem && mv "client-cert-$CODE.pem" cert.pem
tar zcf "tls-client-certs-$CODE.tar.gz" *
mv "tls-client-certs-$CODE.tar.gz" ../
cd ..
rm -rf "tls-client-certs-$CODE"
# 拷贝服务端证书
cp "ca.pem" "server-cert-$CODE.pem" "server-key-$CODE.pem" /etc/docker/certs.d/
echo -e "\n\e[1;32m修改 /usr/lib/systemd/system/docker.service 文件\e[0m"
cat >/usr/lib/systemd/system/docker.service <<EOF
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
BindsTo=containerd.service
After=network-online.target firewalld.service containerd.service
Wants=network-online.target
Requires=docker.socket
[Service]
Type=notify
#ExecStart=/usr/bin/dockerd -H unix:///var/run/docker.sock -H tcp://$ZERO_IP:$PORT
ExecStart=/usr/bin/dockerd --tlsverify \
--tlscacert=/etc/docker/certs.d/ca.pem \
--tlscert=/etc/docker/certs.d/server-cert-$CODE.pem \
--tlskey=/etc/docker/certs.d/server-key-$CODE.pem \
-H unix:///var/run/docker.sock -H tcp://$ZERO_IP:$PORT
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always
StartLimitBurst=3
StartLimitInterval=60s
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
TasksMax=infinity
Delegate=yes
KillMode=process
[Install]
WantedBy=multi-user.target
EOF
# 拷贝客户端证书文件"
cp "ca.pem" "server-cert-$CODE.pem" "server-key-$CODE.pem" "client-cert-$CODE.pem" "client-key-$CODE.pem" ~/.docker
echo -e "\n\e[1;32m重启Docker\e[0m"
systemctl daemon-reload && service docker restart
echo -e "\n\e[1;31m客户端远程连接\e[0m"
echo -e "\ndocker -H $IP:$PORT --tlsverify --tlscacert ~/.docker/ca.pem --tlscert ~/.docker/client-cert-$CODE.pem --tlskey ~/.docker/client-key-$CODE.pem ps -a"
docker -H $IP:$PORT --tlsverify --tlscacert ~/.docker/ca.pem --tlscert ~/.docker/client-cert-$CODE.pem --tlskey ~/.docker/client-key-$CODE.pem ps -a
echo -e "\ndocker -H $IN_IP:$PORT --tlsverify --tlscacert ~/.docker/ca.pem --tlscert ~/.docker/client-cert-$CODE.pem --tlskey ~/.docker/client-key-$CODE.pem ps -a"
docker -H $IN_IP:$PORT --tlsverify --tlscacert ~/.docker/ca.pem --tlscert ~/.docker/client-cert-$CODE.pem --tlskey ~/.docker/client-key-$CODE.pem ps -a
echo -e "\n\e[1;31m客户端使用 cURL 连接\e[0m"
echo -e "\ncurl --cacert ~/.docker/ca.pem --cert ~/.docker/client-cert-$CODE.pem --key ~/.docker/client-key-$CODE.pem https://$IP:$PORT/containers/json"
curl --cacert ~/.docker/ca.pem --cert ~/.docker/client-cert-$CODE.pem --key ~/.docker/client-key-$CODE.pem https://$IP:$PORT/containers/json
echo -e "\ncurl --cacert ~/.docker/ca.pem --cert ~/.docker/client-cert-$CODE.pem --key ~/.docker/client-key-$CODE.pem https://$IN_IP:$PORT/containers/json"
curl --cacert ~/.docker/ca.pem --cert ~/.docker/client-cert-$CODE.pem --key ~/.docker/client-key-$CODE.pem https://$IN_IP:$PORT/containers/json
echo -e "\n\e[1;32mAll be done.\e[0m"
2.在服务器根目录执行脚本内容
3.复制根目录下certs中的 tls-client-certs-xxxx.tar.gz 文件到客户端中备用
image.png
网友评论