美文网首页docker网络编程
docker使用OpenSSL的自颁发证书创建HTTPS仓库

docker使用OpenSSL的自颁发证书创建HTTPS仓库

作者: 周鹏宇1994 | 来源:发表于2018-10-15 11:34 被阅读141次

    关于docker使用OpenSSL的自签发证书创建TLS仓库

    docker-compose

    sudo curl -L "https://github.com/docker/compose/releases/download/1.22.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose

    [docker@docker_server ca]$ tree docker.testdomain.com/
docker.testdomain.com/
├── docker-compose.yml
└── registry
    ├── auth
    │   └── nginx.htpasswd
    ├── config.yml
    └── ssl
        ├── docker.testdomain.com.crt
        └── docker.testdomain.com.key

3 directories, 5 files

    docker.testdomain.com/ssl 为证书存放目录
    docker.testdomain.com/auth/nginx.htpasswd 为registry的用户名/密码文件
    docker.testdomain.com/config.yml 为registry配置文件

    第一步创建 CA 私钥

    openssl genrsa -out "root-ca.key" 4096

    定义变量

    #国家
COUNTRY=CN
#省份
PROVINCE=HLJ
#城市
CITY=HRB
#组织名
ORGANIZE=SELF
#通用名
_CN='docker.testdomain.com'
IP=192.168.122.105

    第二步利用私钥创建 CA 根证书请求文件

    openssl req -new -key "root-ca.key" -out "root-ca.csr" -sha256 -subj "/C=$COUNTRY/ST=$PROVINCE/L=$CITY/O=$ORGANIZE/CN=$_CN"

    第三步配置 CA 根证书

    cat > root-ca.cnf << EOF
[root_ca]
basicConstraints = critical,CA:TRUE,pathlen:1
keyUsage = critical, nonRepudiation, cRLSign, keyCertSign
subjectKeyIdentifier=hash
EOF

    第四步签发根证书

    openssl x509 -req  -days 3650  -in "root-ca.csr" -signkey "root-ca.key" -sha256 -out "root-ca.crt" -extfile "root-ca.cnf" -extensions root_ca

    第五步生成站点 SSL 私钥.

    openssl genrsa -out "${_CN}.key" 4096

    第六步使用私钥生成证书请求文件。

    openssl req -new -key "${_CN}.key" -out "site.csr" -sha256 -subj "/C=$COUNTRY/ST=$PROVINCE/L=$CITY/O=$ORGANIZE/CN=$_CN"

    第七步配置证书,新建 site.cnf 文件

    cat > site.cnf << EOF
[server]
authorityKeyIdentifier=keyid,issuer
basicConstraints = critical,CA:FALSE
extendedKeyUsage=serverAuth
keyUsage = critical, digitalSignature, keyEncipherment
subjectAltName = DNS:${_CN}, IP:${IP}
subjectKeyIdentifier=hash
EOF

    第八步签署站点 SSL 证书。

    openssl x509 -req -days 750 -in "site.csr" -sha256 -CA "root-ca.crt" -CAkey "root-ca.key" -CAcreateserial -out "${_CN}.crt" -extfile "site.cnf" -extensions server

    把生成的站点证书复制到ssl目录中

    生成registry认证文件,替换username/password

    docker run --rm \
    --entrypoint htpasswd \
    registry \
    -Bbn username password > auth/nginx.htpasswd

    docker.testdomain.com/config.yml

    cat > ${_CN}/config.yml << EOF
version: 0.1
log:
  accesslog:
    disabled: true
  level: debug
  formatter: text
  fields:
    service: registry
    environment: staging
storage:
  delete:
    enabled: true
  cache:
    blobdescriptor: inmemory
  filesystem:
    rootdirectory: /var/lib/registry
auth:
  htpasswd:
    realm: basic-realm
    path: /etc/docker/registry/auth/nginx.htpasswd
http:
  addr: :443
  host: https://docker.testdomain.com
  headers:
    X-Content-Type-Options: [nosniff]
  http2:
    disabled: false
  tls:
    certificate: /etc/docker/registry/ssl/docker.testdomain.com.crt
    key: /etc/docker/registry/ssl/docker.testdomain.com.key
health:
  storagedriver:
    enabled: true
    interval: 10s
threshold: 3
EOF

    docker-compose.yml配置

    cat > ${_CN}/docker-compose.yml << EOF
version: '3'

services:
  registry:
    container_name: registry
    image: registry
    ports:
      - "443:443"
    volumes:
      - ./registry:/etc/docker/registry
      - /var/lib/registry:/var/lib/registry

volumes:
  registry-data:
EOF

    修改 hosts

    docker.testdomain.com 127.0.0.1

    启动registry

    docker-compose up -d

    Creating registry ... done

    登陆

    [docker@docker_server docker.testdomain.com]$ docker login docker.testdomain.com
Username: username
Password: 
WARNING! Your password will be stored unencrypted in /home/docker/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

    build一个镜像

    [docker@docker_server myubuntu]$ cat Dockerfile 
FROM ubuntu:16.04
RUN apt-get update \
  &&apt-get -y install net-tools \
  &&apt-get -y install iputils-ping
[docker@docker_server myubuntu]$


[docker@docker_server myubuntu]$docker build -t docker.testdomain.com -f Dockerfile .
Sending build context to Docker daemon  2.048kB
Step 1/2 : FROM ubuntu:16.04
 ---> b9e15a5d1e1a
Step 2/2 : RUN apt-get update   &&apt-get -y install net-tools   &&apt-get -y install iputils-ping
...
Successfully built 38876fa3f3fe
Successfully tagged docker.testdomain.com/username/ubuntu:net-tools
[docker@docker_server myubuntu]$

    push测试成功

    [docker@docker_server myubuntu]$ docker push docker.testdomain.com/username/ubuntu:net-tools
The push refers to repository [docker.testdomain.com/username/ubuntu]
fa0810c2ddcd: Pushed 
75b79e19929c: Layer already exists 
4775b2f378bb: Layer already exists 
883eafdbe580: Layer already exists 
19d043c86cbc: Layer already exists 
8823818c4748: Layer already exists 
net-tools: digest: sha256:0fa8d7d38435ae43a1dacd72c4881a97bed76fa9ed7c62466a4e7e9a60c79c24 size: 1569
[docker@docker_server myubuntu]$

    TIPS

    测试在非本机login的时候会报错

    [docker@docker_server-2 ~]$ docker login docker.testdomain.com
Username: username
Password: 
Error response from daemon: Get https://docker.testdomain.com/v2/: x509: certificate signed by unknown authority
[docker@docker_server-2 ~]$

    服务端报错

    2018/10/15 04:21:04 http: TLS handshake error from 192.168.122.106:44626: remote error: tls: bad certificate

    最后查阅了别人的文章后发现openssl自签发的证书需要拷贝到客户端安装

    把证书复制到客户端
    放到下面的路径中

    [root@docker_server-2 docker.testdomain.com]# pwd 
/etc/docker/certs.d/docker.testdomain.com
[root@docker_server-2 docker.testdomain.com]# ls 
docker.testdomain.com.crt
[root@docker_server-2 docker.testdomain.com]#

    再次登录成功

    [docker@docker_server-2 ~]$ docker login docker.testdomain.com
Username: username
Password: 
WARNING! Your password will be stored unencrypted in /home/docker/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
[docker@docker_server-2 ~]$
[docker@docker_server-2 ~]$ docker pull docker.testdomain.com/username/ubuntu:net-tools
net-tools: Pulling from username/ubuntu
3b37166ec614: Already exists 
504facff238f: Already exists 
ebbcacd28e10: Already exists 
c7fb3351ecad: Already exists 
2e3debadcbf7: Already exists 
f576a46c0046: Pull complete 
Digest: sha256:0fa8d7d38435ae43a1dacd72c4881a97bed76fa9ed7c62466a4e7e9a60c79c24
Status: Downloaded newer image for docker.testdomain.com/username/ubuntu:net-tools
[docker@docker_server-2 ~]$ 


    
[root@docker_server-2 ~]# curl -k https://username:password@docker.testdomain.com/v2/_catalog
{"repositories":["nginx","ubuntu","username/nginx","username/ubuntu"]}

    相关文章

      网友评论

        本文标题:docker使用OpenSSL的自颁发证书创建HTTPS仓库

        本文链接:https://www.haomeiwen.com/subject/quqfzftx.html

        延伸阅读

        深度阅读

        • 您也可以注册成为美文阅读网的作者,发表您的原创作品、分享您的心情!

        栏目导航

        热点阅读

        docker

        网络编程

        关于我们|服务条款|联系我们|docker使用OpenSSL的自颁发证书创建HTTPS仓库|投稿指南|网站地图|RSS订阅|排版工具|手机版

        提供经典美文摘抄,优美散文欣赏,现代诗歌精选,短篇小说,心情随笔,表白情书范文,故事会在线阅读欣赏

        Copyright © 2014-2023 Haomeiwen.com All Rights Reserved. 好美文阅读网 版权所有

        备案信息:桂公网安备 45052102000051号 · 桂ICP备13007215号-3

        本站所收录作品、热点评论等信息部分来源互联网,目的只是为了系统归纳学习和传递资讯

        所有作品版权归原创作者所有,与本站立场无关,如不慎侵犯了你的权益,请联系我们告知,我们将做删除处理!