一键生成TLS和CA证书 auto-generate-docker-tls-ca.sh:
# !/bin/bash # 一键生成TLS和CA证书 # Create : 2021-08-25 # Update : 2021-08-25 # @Autor : wuduoqiang # 服务器主机名 SERVER="172.16.20.126" # 密码 PASSWORD="Super#Geostar,5" # 国家 COUNTRY="CN" # 省份 STATE="湖北省" # 城市 CITY="武汉市" # 机构名称 ORGANIZATION="吉奥时空信息技术股份有限公司" # 机构单位 ORGANIZATIONAL_UNIT="吉奥时空信息技术股份有限公司" # 邮箱 EMAIL="wangrui1066@geostar.com.cn" # 生成CA密钥 openssl genrsa -aes256 -passout pass:$PASSWORD -out ca-key.pem 2048 # 生成CA证书 openssl req -utf8 -new -x509 -passin "pass:$PASSWORD" -days 3650 -key ca-key.pem -sha256 -out ca-cert.pem -subj "/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORGANIZATION/OU=$ORGANIZATIONAL_UNIT/CN=$SERVER/emailAddress=$EMAIL" # 生成服务端密钥 openssl genrsa -out server-key.pem 2048 # 生成服务端证书签名的请求文件 openssl req -subj "/CN=$SERVER" -new -key server-key.pem -out server-req.csr # 生成服务端证书 openssl x509 -req -days 3650 -in server-req.csr -CA ca-cert.pem -CAkey ca-key.pem -passin "pass:$PASSWORD" -CAcreateserial -out server-cert.pem # 生成客户端密钥 openssl genrsa -out client-key.pem 2048 # 生成客户端证书签名的请求文件 openssl req -subj '/CN=client' -new -key client-key.pem -out client-req.csr # 生成客户端证书 sh -c 'echo "extendedKeyUsage=clientAuth" >> extfile.cnf' openssl x509 -req -days 3650 -in client-req.csr -CA ca-cert.pem -CAkey ca-key.pem -passin "pass:$PASSWORD" -CAcreateserial -out client-cert.pem -extfile extfile.cnf # 更改密钥权限 chmod 0400 ca-key.pem server-key.pem client-key.pem # 更改证书权限 chmod 0444 ca-cert.pem server-cert.pem client-cert.pem # 删除无用文件 # rm ca-cert.srl client-req.csr server-req.csr extfile.cnf
vi /etc/docker/daemon.json
{ "hosts":[ "tcp://0.0.0.0:2375", "unix:///var/run/docker.sock" ], "tls": true, "tlsverify": true, "tlscacert": "/root/docker-ca/ca-cert.pem", "tlscert": "/root/docker-ca/server-cert.pem", "tlskey": "/root/docker-ca/server-key.pem" }
重启dockerd
curl 测试接口
curl https://172.16.20.126:2375/info --cert ./client-cert.pem --key ./client-key.pem --cacert ./ca-cert.pem
python 测试代码
import urllib.request import ssl if __name__ == '__main__': CA_FILE = "C:\\Users\\Nihaorz\\Desktop\\tls\\ca-cert.pem" KEY_FILE = "C:\\Users\\Nihaorz\\Desktop\\tls\\client-key.pem" CERT_FILE = "C:\\Users\\Nihaorz\\Desktop\\tls\\client-cert.pem" context = ssl.SSLContext(ssl.PROTOCOL_TLS) context.check_hostname = False context.load_cert_chain(certfile=CERT_FILE, keyfile=KEY_FILE) context.load_verify_locations(CA_FILE) context.verify_mode = ssl.CERT_REQUIRED try: # 通过request()方法创建一个请求: request = urllib.request.Request('https://172.16.20.126:2375/info') res = urllib.request.urlopen(request, context=context) print(res.code) print(res.read().decode("utf-8")) except Exception as ex: print("Found Error in auth phase:%s" % str(ex))
via:https://www.jb51.net/article/220938.htm
via:https://blog.csdn.net/vip97yigang/article/details/84721027