文章目录
自签tls证书
下载自签证书工具
$ mkdir -pv /usr/local/cfssl
$ cd /usr/local/src
$ curl -L https://github.com/cloudflare/cfssl/releases/download/v1.6.2/cfssl_1.6.2_linux_amd64 -o /usr/local/cfssl/cfssl 2>/dev/null
$ curl -L https://github.com/cloudflare/cfssl/releases/download/v1.6.2/cfssl-certinfo_1.6.2_linux_amd64 -o /usr/local/cfssl/cfssl-certinfo 2>/dev/null
$ curl -L https://github.com/cloudflare/cfssl/releases/download/v1.6.2/cfssljson_1.6.2_linux_amd64 -o /usr/local/cfssl/cfssljson 2>/dev/null
$ chmod +x /usr/local/cfssl/*
$ echo 'PATH=$PATH:/usr/local/cfssl' > /etc/profile.d/cfssl.sh
$ source /etc/profile.d/cfssl.sh
# 验证
# cfssl
$ cfssl version
Version: 1.6.2
Runtime: go1.18
签发根证书
根(ca)证书配置
$ mkdir /etc/docker/tls
$ cd /etc/docker/tls
$ cat ca-config.json
{
"signing": {
"default": {
"expiry": "1752000h"
},
"profiles": {
"www": {
"expiry": "1752000h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
根(ca)证书签名请求文件
$ cat ca-csr.json
{
"CA":{"expiry":"876000h"},
"CN": "CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "GD",
"L": "Shenzhen",
"O": "Demingcompany",
"OU": "Devops"
}
]
}
签发根(ca)证书
$ cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
# 签发成功会生成: ca.csr、ca-key.pem、ca.pem
签发Docker服务器使用证书
创建证书签名请求文件
# hosts中多填写一些预留ip/域名,方便后续新加docker服务器直接使用
$ cat server-csr.json
{
"CN": "docker",
"hosts": [
"127.0.0.1",
"localhost",
"docker-1.deming.com",
"local.docker-1.deming.com"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "GD",
"L": "Shenzhen"
}
]
}
签发证书
$ cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
# 签发成功会生成: server.csr、server-key.pem、server.pem
签发客户端 连接Docker使用的证书
创建证书签名请求文件
$ cat client-csr.json
{
"CN": "portainer",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "GD",
"L": "Shenzhen"
}
]
}
签发证书
$ cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www client-csr.json | cfssljson -bare client
# 签发成功会生成: client.csr、client-key.pem、client.pem
修改Docker配置
确认已安装好了Docker
配置更新
# 创建或者编辑如下配置文件追加如下配置
$ vim /etc/docker/daemon.json
{
...
"hosts": ["tcp://0.0.0.0:2375", "unix:///var/run/docker.sock"],
"tlscacert": "/etc/docker/tls/ca.pem",
"tlscert": "/etc/docker/tls/server.pem",
"tlskey": "/etc/docker/tls/server-key.pem",
"tlsverify": true
}
修改systemd进程启动文件(不使用systemd管理进程则跳过)
$ sed -i 's# -H fd://##g' /usr/lib/systemd/system/docker.service
- 重启docker生效
$ systemctl daemon-reload
$ systemctl restart docker
验证
$ cd /etc/docker/tls
$ docker --tlsverify \
--tlscacert=ca.pem \
--tlscert=client.pem \
--tlskey=client-key.pem \
-H tcp://127.0.0.1:2375 version
# 执行成功则配置正常