zoukankan      html  css  js  c++  java

  • docker 配置远程访问证书验证

    centos7

    生成证书

    工具:openssl

    #cd /etc/docker   (docker的证书一般放这)

    #openssl genrsa -aes256 -passout pass:密码  -out ca-key.pem 2048

    会出现:

    Generating RSA private key, 2048 bit long modulus
    .............................................................+++
    ..................................................................................+++
    e is 65537 (0x10001)

    [root@webtest docker]# ls
    ca-key.pem certs.d key.json

    [root@webtest docker]# openssl req -new -x509 -days 365 -key ca-key.pem -passin pass:和上边相同的密码 -sha256 -out ca.pem -subj "/C=NL/ST=./L=./O=./CN=(server的ip)"
    [root@webtest docker]# ls
    ca-key.pem ca.pem certs.d key.json

    [root@webtest docker]# openssl genrsa -out server-key.pem 2048
    Generating RSA private key, 2048 bit long modulus
    .........................................+++
    ...........................................................................+++
    e is 65537 (0x10001)
    [root@webtest docker]# ls
    ca-key.pem ca.pem certs.d key.json server-key.pem

    [root@webtest docker]# openssl req -subj "/CN=192.168.111.120" -new -key server-key.pem -out server.csr
    [root@webtest docker]# ls
    ca-key.pem ca.pem certs.d key.json server.csr server-key.pem

    [root@webtest docker]# openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem -passin "pass:qq77aa88" -CAcreateserial -out server-cert.pem
    Signature ok
    subject=/CN=192.168.111.120
    Getting CA Private Key
    [root@webtest docker]# ls
    ca-key.pem ca.pem ca.srl certs.d key.json server-cert.pem server.csr server-key.pem

    [root@webtest docker]# openssl genrsa -out key.pem 2048
    Generating RSA private key, 2048 bit long modulus
    .............................................+++
    .............................................................................................................................................................................+++
    e is 65537 (0x10001)
    [root@webtest docker]# ls
    ca-key.pem ca.pem ca.srl certs.d key.json key.pem server-cert.pem server.csr server-key.pem

    [root@webtest docker]# openssl req -subj '/CN=client' -new -key key.pem -out client.csr
    [root@webtest docker]# ls
    ca-key.pem ca.pem ca.srl certs.d client.csr key.json key.pem server-cert.pem server.csr server-key.pem

    [root@webtest docker]# sh -c 'echo "extendedKeyUsage=clientAuth" > extfile.cnf'
    [root@webtest docker]# openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem -passin "pass:qq77aa88" -CAcreateserial -out cert.pem -extfile extfile.cnf
    Signature ok
    subject=/CN=client
    Getting CA Private Key
    [root@webtest docker]# ls
    ca-key.pem ca.pem ca.srl cert.pem certs.d client.csr extfile.cnf extfile.cnf’ key.json key.pem server-cert.pem server.csr server-key.pem

    [root@webtest docker]# chmod 0400 ca-key.pem key.pem server-key.pem
    [root@webtest docker]# chmod 0444 ca.pem server-cert.pem cert.pem
    [root@webtest docker]# rm client.csr server.csr
    rm:是否删除普通文件 "client.csr"?y
    rm:是否删除普通文件 "server.csr"?y

    设置docker daemon

    # vim /lib/systemd/system/docker.service

    启动参数后边追加

    ExecStart=/usr/bin/dockerd-current
    --add-runtime docker-runc=/usr/libexec/docker/docker-runc-current
    --default-runtime=docker-runc
    --exec-opt native.cgroupdriver=systemd
    --userland-proxy-path=/usr/libexec/docker/docker-proxy-current
    $OPTIONS
    $DOCKER_STORAGE_OPTIONS
    $DOCKER_NETWORK_OPTIONS
    $ADD_REGISTRY
    $BLOCK_REGISTRY
    $INSECURE_REGISTRY
    -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock
    --tlsverify
    --tlscacert=/etc/docker/ca.pem
    --tlscert=/etc/docker/server-cert.pem
    --tlskey=/etc/docker/server-key.pem

    # systemctl daemon-reload

    # systemctl restart docker

    测试: 

    [root@localmesos ~]# docker -H 192.168.111.120:2375 info
    Get http://192.168.111.120:2375/v1.24/info: malformed HTTP response "x15x03x01x00x02x02".
    * Are you trying to connect to a TLS-enabled daemon without TLS?

    从server机器上 将ca.pem  cert.pem   key.pem 复制到client机器的/etc/docker目录下

    # docker -H 192.168.111.120:2375 --tls --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/cert.pem --tlskey=/etc/docker/key.pem info

    没问题

    [root@localmesos docker]# docker -H 192.168.111.120:2375 --tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/cert.pem --tlskey=/etc/docker/key.pem info
    An error occurred trying to connect: Get https://192.168.111.120:2375/v1.24/info: x509: cannot validate certificate for 192.168.111.120 because it doesn't contain any IP SANs
  • 相关阅读:
    Bootstrap-CL:警告
    Bootstrap-CL:略缩图
    Bootstrap-CL:页面标题
    Bootstrap-CL:超大屏幕
    Bootstrap-CL:徽章
    Bootstrap-CL:标签
    Bootstrap-CL:分页
    Bootstrap-CL:面包屑导航
    Bootstrap-CL:导航栏
    Bootstrap-CL:导航元素
  • 原文地址:https://www.cnblogs.com/mhc-fly/p/6820416.html
Copyright © 2011-2022 走看看