반응형

ca-key.pem -> ca.pem

server-key.pem -> server.csr -> server.csr + (ca-key.pem + ca.pem) -> server.cert

client-key.pem -> client.csr -> client.csr + (ca-key.pem + ca.pem) -> client.cert



[ CA 생성 ]


1. ca-key.pem => ca.pem    (ca.crt: client ca 파일)

$ sudo mkdir -p /etc/docker

$ cd /etc/docker

$ echo 01 | sudo tee ca.srl


$ sudo openssl genrsa -des3 -out ca-key.pem

Enter pass phrase for ca-key.pem:

Verifying - Enter pass phrase for ca-key.pem:


$ sudo openssl req -new -days 365 -key ca-key.pem -out ca.pem

Enter pass phrase for ca-key.pem:

...

Common Name (e.g. server FQDN or Your name) []: *         (ex : www.ahnseungkyu.com)



[ Server Cert 생성 ]


1. server-key.pem => server.csr    (Common Name : e.g. server FQDN 이 중요)

$ sudo openssl genrsa -des3 -out server-key.pem

Enter pass phrase for server-key.pem:

Verifying - Enter pass phrase for server-key.pem:


$ sudo openssl req -new -key server-key.pem -out server.csr

Enter pass phrase for server-key.pem:

...

Common Name (e.g. server FQDN or Your name) []: *         (ex : www.ahnseungkyu.com)


2. ca-key.pem + ca.pem + server.csr => server-cert.pem (server.cert: 서버 cert 파일)

$ sudo openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem -out server-cert.pem

Enter pass phrase for ca-key.pem:


3. server-key.pem 의 phrase 를 삭제 (server.key: 서버 private key 파일)

$ sudo openssl rsa -in server-key.pem -out server-key.pem

Enter pass phrase for server-key.pem:

writing RSA key


4. 퍼미션 수정

$ sudo chmod 600 /etc/docker/server-key.pem /etc/docker/server-cert.pem /etc/docker/ca-key.pem /etc/docker/ca.pem




[ Docker 데몬 설정 ]


Ubuntu, Debian : /etc/default/docker

RHEL, Fedora    : /etc/sysconfig/docker

systemd 버전     : /usr/lib/systemd/system/docker.service




[ systemd Docker Server 실행 ]


ExecStart=/usr/bin/docker -d -H tcp://0.0.0.0.2376 --tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/server-cert.pem --tlskey=/etc/docker/server-key.pem


[ Docker 데몬 reload 및 재시작 필요 ]

$ sudo systemctl --system daemon-reload




[ Client Cert 생성 ]


1. client-key.pem => client.csr

$ sudo openssl genrsa -des3 -out client-key.pem

Enter pass phrase for client-key.pem:

Verifying - Enter pass phrase for client-key.pem:


sudo openssl req -new -key client-key.pem -out client.csr

Enter pass phrase for client-key.pem:

...

Common Name (e.g. server FQDN or Your name) []:



2. Client 인증 속성 추가

$ echo extendedKeyUsage = clientAuth > extfile.cnf



3. ca-key.pem + ca.pem + client.csr => client-cert.pem

$ sudo openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem -out client-cert.pem -extfile extfile.cnf

Enter pass phrase for ca-key.pem:



4. client-key 의 phrase 를 삭제

$ sudo openssl rsa -in client-key.pem -out client-key.pem

Enter pass phrase for client-key.pem:

writing RSA key




[ Docker 클라이언트에 ssl 설정 ]


$ mkdir -p ~/.docker

$ cp ca.pem ~/.docker/ca.pem

$ ca client-key.pem ~/.docker/key.pem

$ ca client-cert.pem ~/.docker/cert.pem

$ chmod 600 ~/.docker/key.pem ~/.docker/cert.pem


# docker 연결 테스트

$ sudo docker -H=docker.example.com:2376 --tlsverify info



# server

# sudo docker -d --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem \

--tlskey=server-key.pem -H=0.0.0.0:4243


# client -- note that this uses --tls instead of --tlsverify, which I had trouble with 

# docker --tls --tlscacert=ca.pem --tlscert=client-cert.pem --tlskey=client-key.pem \

-H=dns-name-of-docker-host:4243









반응형
Posted by seungkyua@gmail.com
,