Skip to content

Instantly share code, notes, and snippets.

@Stono
Last active September 19, 2024 08:16
Show Gist options
  • Save Stono/7e6fed13cfd79598eb15 to your computer and use it in GitHub Desktop.
Save Stono/7e6fed13cfd79598eb15 to your computer and use it in GitHub Desktop.
Creating and setting up Docker for TLS
#!/bin/bash
# This script will help you setup Docker for TLS authentication.
# Run it passing in the arguement for the FQDN of your docker server
#
# For example:
# ./create-docker-tls.sh myhost.docker.com
#
# The script will also create a profile.d (if it exists) entry
# which configures your docker client to use TLS
#
# We will also overwrite /etc/sysconfig/docker (again, if it exists) to configure the daemon.
# A backup will be created at /etc/sysconfig/docker.unixTimestamp
#
# MIT License applies to this script. I don't accept any responsibility for
# damage you may cause using it.
#
set -e
STR=2048
if [ "$#" -gt 0 ]; then
DOCKER_HOST="$1"
else
echo " => ERROR: You must specify the docker FQDN as the first arguement to this scripts! <="
exit 1
fi
if [ "$USER" == "root" ]; then
echo " => WARNING: You're running this script as root, therefore root will be configured to talk to docker"
echo " => If you want to have other users query docker too, you'll need to symlink /root/.docker to /theuser/.docker"
fi
echo " => Using Hostname: $DOCKER_HOST You MUST connect to docker using this host!"
echo " => Ensuring config directory exists..."
mkdir -p "$HOME/.docker"
cd $HOME/.docker
echo " => Verifying ca.srl"
if [ ! -f "ca.src" ]; then
echo " => Creating ca.srl"
echo 01 > ca.srl
fi
echo " => Generating CA key"
openssl genrsa \
-out ca-key.pem $STR
echo " => Generating CA certificate"
openssl req \
-new \
-key ca-key.pem \
-x509 \
-days 3650 \
-nodes \
-subj "/CN=$HOSTNAME" \
-out ca.pem
echo " => Generating server key"
openssl genrsa \
-out server-key.pem $STR
echo " => Generating server CSR"
openssl req \
-subj "/CN=$DOCKER_HOST" \
-new \
-key server-key.pem \
-out server.csr
echo " => Signing server CSR with CA"
openssl x509 \
-req \
-days 3650 \
-in server.csr \
-CA ca.pem \
-CAkey ca-key.pem \
-out server-cert.pem
echo " => Generating client key"
openssl genrsa \
-out key.pem $STR
echo " => Generating client CSR"
openssl req \
-subj "/CN=docker.client" \
-new \
-key key.pem \
-out client.csr
echo " => Creating extended key usage"
echo extendedKeyUsage = clientAuth > extfile.cnf
echo " => Signing client CSR with CA"
openssl x509 \
-req \
-days 3650 \
-in client.csr \
-CA ca.pem \
-CAkey ca-key.pem \
-out cert.pem \
-extfile extfile.cnf
if [ -d "/etc/profile.d" ]; then
echo " => Creating profile.d/docker"
sudo sh -c "echo '#!/bin/bash
export DOCKER_CERT_PATH=/home/$USER/.docker
export DOCKER_HOST=tcp://$DOCKER_HOST:2376
export DOCKER_TLS_VERIFY=1' > /etc/profile.d/docker.sh"
sudo chmod +x /etc/profile.d/docker.sh
source /etc/profile.d/docker.sh
else
echo " => WARNING: No /etc/profile.d directoy on your system."
echo " => You will need to set the following environment variables before running the docker client:"
echo " => DOCKER_HOST=tcp://$DOCKER_HOST:2376"
echo " => DOCKER_TLS_VERIFY=1"
fi
OPTIONS="--tlsverify --tlscacert=$HOME/.docker/ca.pem --tlscert=$HOME/.docker/server-cert.pem --tlskey=$HOME/.docker/server-key.pem -H=0.0.0.0:2376"
if [ -f "/etc/sysconfig/docker" ]; then
echo " => Configuring /etc/sysconfig/docker"
BACKUP="/etc/sysconfig/docker.$(date +"%s")"
sudo mv /etc/sysconfig/docker $BACKUP
sudo sh -c "echo '# The following line was added by ./create-certs docker TLS configuration script
OPTIONS=\"$OPTIONS\"
# A backup of the old file is at $BACKUP.' >> /etc/sysconfig/docker"
echo " => Backup file location: $BACKUP"
else
echo " => WARNING: No /etc/sysconfig/docker file found on your system."
echo " => You will need to configure your docker daemon with the following options:"
echo " => $OPTIONS"
fi
export DOCKER_HOST=tcp://DOCKER_HOST:2376
export DOCKER_TLS_VERIFY=1
echo " => Done! You just need to restart docker for the changes to take effect"
@tianon
Copy link

tianon commented Nov 4, 2015

Line 39 has ca.src where it should be ca.srl. 😉 👍

(Thanks for the great, simple gist!)

@aienabled
Copy link

aienabled commented Jan 11, 2018

Works great. Thank you! @tianon, thank you too!
BTW, in C# (Docker.DotNet) the certifate callback should be used to allow connections to the server:

new CertificateCredentials(clientCertificate)
{
    // allow always
    ServerCertificateValidationCallback = (o, c, ch, er) => true
}

(for some reason similar workaround with ServicePointManager.ServerCertificateValidationCallback doesn't work)
I suppose this is needed only in the case when you don't have the generated ca certificate installed in the client system.

@l-margiela
Copy link

l-margiela commented Jun 29, 2019

Hi! I tried your script, but when I try to use them on the client machine (docker -D -H 'tcp://domain.tld:port' --tls ps) the only thing I get is failed to append certificates from PEM file: "/root/.docker/ca.pem". After googling, it looks like ca.pem isn't a valid PEM file (but openssl verify parses it). Do you know what may be the cause? Thanks in advance

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment