脚本内容
#!/bin/bash
HOST=$DOMAIN_HOST
# 自定义信息
# 生成的证书的目录
FILE_ROOT="/root/tls/pem"
DOMAIN_HOST="服务器IP"
PASSWORD="证书密码"
COUNTRY=CN
PROVINCE=ZJ
CITY=NB
ORGANIZATION=GCQ
GROUP=GCQ
NAME=GCQ
# 自定义信息
#============================================================================================
SUBJ="/C=$COUNTRY/ST=$PROVINCE/L=$CITY/O=$ORGANIZATION/OU=$GROUP/CN=$HOST"
mkdir -p ${FILE_ROOT}
#============================================================================================
#此形式是自己给自己签发证书,自己就是CA机构,也可以交给第三方机构去签发
# 生成根证书RSA私钥,password作为私钥密码(身份证)
echo "生成根证书RSA私钥..."
openssl genrsa -passout pass:$PASSWORD -aes256 -out /root/tls/pem/ca-key.pem 4096
# 2.用根证书RSA私钥生成自签名的根证书(营业执照)
echo "用根证书RSA私钥生成自签名的根证书..."
openssl req -new -x509 -days 365 -passin pass:$PASSWORD -key /root/tls/pem/ca-key.pem -sha256 -subj $SUBJ -out /root/tls/pem/ca.pem
#============================================================================================
#给服务器签发证书
# 1.服务端生成自己的私钥
echo "服务端生成自己的私钥..."
openssl genrsa -out /root/tls/pem/server-key.pem 4096
# 2.服务端生成证书(里面包含公钥与服务端信息)
echo "服务端生成证书..."
openssl req -new -sha256 -key /root/tls/pem/server-key.pem -out /root/tls/pem/server.csr -subj "/CN=$DOMAIN_HOST"
# 3.通过什么形式与我进行连接,可设置多个IP地扯用逗号分隔
echo "授权ip: ${DOMAIN_HOST},0.0.0.0..."
echo subjectAltName=IP:$DOMAIN_HOST,IP:0.0.0.0 > /tmp/extfile.cnf
# 4.权威机构对证书进行进行盖章生效
echo "权威机构对证书进行进行盖章生效..."
openssl x509 -passin pass:$PASSWORD -req -days 365 -sha256 -in /root/tls/pem/server.csr -CA /root/tls/pem/ca.pem -CAkey /root/tls/pem/ca-key.pem -CAcreateserial -out /root/tls/pem/server-cert.pem -extfile /tmp/extfile.cnf
#============================================================================================
#给客户端签发证书
echo "给客户端签发证书..."
openssl genrsa -out /root/tls/pem/client-key.pem 4096
openssl req -subj '/CN=client' -new -key /root/tls/pem/client-key.pem -out /root/tls/pem/client.csr
echo extendedKeyUsage = clientAuth > /tmp/extfile.cnf
openssl x509 -passin pass:$PASSWORD -req -days 365 -sha256 -in /root/tls/pem/client.csr -CA /root/tls/pem/ca.pem -CAkey /root/tls/pem/ca-key.pem -CAcreateserial -out /root/tls/pem/client-cert.pem -extfile /tmp/extfile.cnf
mv client-cert.pem cert.pem
mv client-key.pem key.pem
#============================================================================================
# 清理文件
echo "清理多余文件..."
rm -rf "${FILE_ROOT}/ca-key.pem"
rm -rf "${FILE_ROOT}/{server,client}.csr"
rm -rf "${FILE_ROOT}/ca.srl"
# 最终文件
# ca.pem == CA机构证书
# cert.pem == 客户端证书
# key.pem == 客户私钥
# server-cert.pem == 服务端证书
# server-key.pem == 服务端私钥
echo -e "最终文件:"
echo -e "${FILE_ROOT}/ca.pemtCA机构证书"
echo -e "${FILE_ROOT}/cert.pemt客户端证书"
echo -e "${FILE_ROOT}/key.pemt客户私钥"
echo -e "${FILE_ROOT}/server-cert.pemt服务端证书"
echo -e "${FILE_ROOT}/server-key.pemt服务端私钥"
执行刚刚创建的脚本,生成证书。
随后编辑Docker配置
vim /lib/systemd/system/docker.service
将 ExecStart 更改为:
ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/server-cert.pem --tlskey=/etc/docker/server-key.pem -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock
保存配置并重启
systemctl daemon-reload
systemctl restart docker.service
随后开放2376端口即可。
