docker 2375 端口开启 TLS 和 CA 认证

一键生成TLS和CA证书 auto-generate-docker-tls-ca.sh:

# !/bin/bash

# 一键生成TLS和CA证书

# Create : 2021-08-25
# Update : 2021-08-25
# @Autor : wuduoqiang

# 服务器主机名
SERVER="172.16.20.126"
# 密码
PASSWORD="Super#Geostar,5"
# 国家
COUNTRY="CN"
# 省份
STATE="湖北省"
# 城市
CITY="武汉市"
# 机构名称
ORGANIZATION="吉奥时空信息技术股份有限公司"
# 机构单位
ORGANIZATIONAL_UNIT="吉奥时空信息技术股份有限公司"
# 邮箱
EMAIL="wangrui1066@geostar.com.cn"

# 生成CA密钥
openssl genrsa -aes256 -passout pass:$PASSWORD  -out ca-key.pem 2048

# 生成CA证书
openssl req -utf8 -new -x509 -passin "pass:$PASSWORD" -days 3650 -key ca-key.pem -sha256 -out ca-cert.pem -subj "/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORGANIZATION/OU=$ORGANIZATIONAL_UNIT/CN=$SERVER/emailAddress=$EMAIL"

# 生成服务端密钥
openssl genrsa -out server-key.pem 2048

# 生成服务端证书签名的请求文件
openssl req -subj "/CN=$SERVER" -new -key server-key.pem -out server-req.csr

# 生成服务端证书
openssl x509 -req -days 3650 -in server-req.csr -CA ca-cert.pem -CAkey ca-key.pem -passin "pass:$PASSWORD" -CAcreateserial -out server-cert.pem

# 生成客户端密钥
openssl genrsa -out client-key.pem 2048

# 生成客户端证书签名的请求文件
openssl req -subj '/CN=client' -new -key client-key.pem -out client-req.csr

# 生成客户端证书
sh -c 'echo "extendedKeyUsage=clientAuth" >> extfile.cnf'
openssl x509 -req -days 3650 -in client-req.csr -CA ca-cert.pem -CAkey ca-key.pem  -passin "pass:$PASSWORD" -CAcreateserial -out client-cert.pem -extfile extfile.cnf

# 更改密钥权限
chmod 0400 ca-key.pem server-key.pem client-key.pem
# 更改证书权限
chmod 0444 ca-cert.pem server-cert.pem client-cert.pem
# 删除无用文件
# rm ca-cert.srl client-req.csr server-req.csr extfile.cnf

 

vi /etc/docker/daemon.json

{
    "hosts":[
        "tcp://0.0.0.0:2375",
        "unix:///var/run/docker.sock"
    ],
    "tls": true,
    "tlsverify": true,
    "tlscacert": "/root/docker-ca/ca-cert.pem",
    "tlscert": "/root/docker-ca/server-cert.pem",
    "tlskey": "/root/docker-ca/server-key.pem"
}

 

重启dockerd

 

curl 测试接口

curl https://172.16.20.126:2375/info --cert ./client-cert.pem --key ./client-key.pem --cacert ./ca-cert.pem

 

python 测试代码

import urllib.request

import ssl

if __name__ == '__main__':
    CA_FILE = "C:\\Users\\Nihaorz\\Desktop\\tls\\ca-cert.pem"
    KEY_FILE = "C:\\Users\\Nihaorz\\Desktop\\tls\\client-key.pem"
    CERT_FILE = "C:\\Users\\Nihaorz\\Desktop\\tls\\client-cert.pem"

    context = ssl.SSLContext(ssl.PROTOCOL_TLS)
    context.check_hostname = False
    context.load_cert_chain(certfile=CERT_FILE, keyfile=KEY_FILE)
    context.load_verify_locations(CA_FILE)
    context.verify_mode = ssl.CERT_REQUIRED
    try:
        # 通过request()方法创建一个请求:
        request = urllib.request.Request('https://172.16.20.126:2375/info')
        res = urllib.request.urlopen(request, context=context)
        print(res.code)
        print(res.read().decode("utf-8"))
    except Exception as ex:
        print("Found Error in auth phase:%s" % str(ex))

 

 

via:https://www.jb51.net/article/220938.htm

via:https://blog.csdn.net/vip97yigang/article/details/84721027

 

posted @ 2022-08-19 15:59  Nihaorz  阅读(591)  评论(0)    收藏  举报