docker配置ca证书

参考

脚本

ca证书生成脚本

#!/bin/bash
# -------------------------------------------------------------
# 自动创建 Docker TLS 证书
# -------------------------------------------------------------

# config
# --[BEGIN]------------------------------

# 代码，可以随便写
CODE="WRETCHANT"
# 服务器的外网IP
IP=""
# CA证书的密码
PASSWORD="CA-PASSWORD.12345678"
# 国家
COUNTRY="CN"
# 地区
STATE="zhejiang"
# 城市
CITY="hangzhou"
# 组织
ORGANIZATION="WRETCHANT.EDU"
ORGANIZATIONAL_UNIT="Dev"
COMMON_NAME="$IP"
# 邮件地址
EMAIL="[email protected]"

# --[END]--


# 创建存放脚本的文件夹
mkdir -p /etc/docker/cert.init/
cd /etc/docker/cert.init/


# Generate CA key
openssl genrsa -aes256 -passout "pass:$PASSWORD" -out "ca-key.pem" 4096
# Generate CA
openssl req -new -x509 -days 365 -key "ca-key.pem" -sha256 -out "ca.pem"   -passin "pass:$PASSWORD" -subj "/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORGANIZATION/OU=$ORGANIZATIONAL_UNIT/CN=$COMMON_NAME/emailAddress=$EMAIL"
# Generate Server key
openssl genrsa -out "server-key.pem" 4096

# Generate Server Certs.
openssl req -subj "/CN=$COMMON_NAME" -sha256 -new -key "server-key.pem" -out server.csr

echo "subjectAltName = IP:$IP,IP:127.0.0.1" >> extfile.cnf
echo "extendedKeyUsage = serverAuth" >> extfile.cnf

openssl x509 -req -days 365 -sha256 -in server.csr -passin "pass:$PASSWORD" -CA "ca.pem" -CAkey "ca-key.pem" -CAcreateserial -out "server-cert.pem" -extfile extfile.cnf

# Generate Client Certs.
rm -f extfile.cnf

openssl genrsa -out "key.pem" 4096
openssl req -subj '/CN=client' -new -key "key.pem" -out client.csr
echo extendedKeyUsage = clientAuth >> extfile.cnf
openssl x509 -req -days 365 -sha256 -in client.csr -passin "pass:$PASSWORD" -CA "ca.pem" -CAkey "ca-key.pem" -CAcreateserial -out "cert.pem" -extfile extfile.cnf

rm -vf client.csr server.csr

chmod -v 0400 "ca-key.pem" "key.pem" "server-key.pem"
chmod -v 0444 "ca.pem" "server-cert.pem" "cert.pem"

# 打包客户端证书成tar.gz包
mkdir -p "tls-client-certs"
cp -f "ca.pem" "cert.pem" "key.pem" "tls-client-certs/"
cd "tls-client-certs"
tar zcf "tls-client-certs.tar.gz" *
mv "tls-client-certs.tar.gz" ../
cd ..
rm -rf "tls-client-certs"

# 拷贝服务端证书，保存在docker目录下
mkdir -p /etc/docker
cp "ca.pem" "server-cert.pem" "server-key.pem" /etc/docker

客户端证书下载

证书生成完成后，客户端需要拿到证书进行远程连接

进入证书存放目录,tls-client-certs.tar.gz就是客户端的证书

cd /etc/docker/cert.init

不要改变!不要改变!不要改变!客户端证书的名字,否则idea会报错

配置docker

vim /lib/systemd/system/docker.service

ExecStart=/usr/bin/dockerd-current \
          --tlsverify \
--tlscacert=/etc/docker/ca.pem \
--tlscert=/etc/docker/server-cert.pem \
--tlskey=/etc/docker/server-key.pem \
-H tcp://0.0.0.0:2375 \
-H unix:///var/run/docker.sock \
# 下面的不要动
          --add-runtime docker-runc=/usr/libexec/docker/docker-runc-current \
          --default-runtime=docker-runc \
          --exec-opt native.cgroupdriver=systemd \
          --userland-proxy-path=/usr/libexec/docker/docker-proxy-current \
          --init-path=/usr/libexec/docker/docker-init-current \
          --seccomp-profile=/etc/docker/seccomp.json \

重启docker

systemctl daemon-reload && systemctl restart docker