From 487315e991523cd04fb78de15c797df16159c7b7 Mon Sep 17 00:00:00 2001 From: gw0 Date: Thu, 18 Feb 2021 16:30:04 +0100 Subject: [PATCH] Cleanup: Add debugging mode for creating CA certificates --- Dockerfile | 3 +++ create_ca_cert.sh | 24 +++++++++++------------- 2 files changed, 14 insertions(+), 13 deletions(-) diff --git a/Dockerfile b/Dockerfile index 85b6b5c..7ad4aac 100644 --- a/Dockerfile +++ b/Dockerfile @@ -66,12 +66,15 @@ ENV REGISTRIES="docker.caching.proxy.internal registry-1.docker.io auth.docker.i ENV AUTH_REGISTRIES="" # Should we verify upstream's certificates? Default to true. ENV VERIFY_SSL="true" + # Enable debugging mode; this inserts mitmproxy/mitmweb between the CONNECT proxy and the caching layer ENV DEBUG="false" # Enable debugging mode; this inserts mitmproxy/mitmweb between the caching layer and DockerHub's registry ENV DEBUG_HUB="false" # Enable nginx debugging mode; this uses nginx-debug binary and enabled debug logging, which is VERY verbose so separate setting ENV DEBUG_NGINX="false" +# Enable debugging mode for creating CA certificate +ENV DEBUG_CA_CERT="false" # Set Docker Registry cache size, by default, 32 GB ('32g') ENV CACHE_MAX_SIZE="32g" diff --git a/create_ca_cert.sh b/create_ca_cert.sh index b7c9352..c27099b 100644 --- a/create_ca_cert.sh +++ b/create_ca_cert.sh @@ -2,8 +2,6 @@ set -Eeuo pipefail -declare -i DEBUG=0 - logInfo() { echo "INFO: $@" } @@ -53,10 +51,10 @@ subjectKeyIdentifier = hash EOF ) - [[ ${DEBUG} -gt 0 ]] && logInfo "show the CA cert details" - [[ ${DEBUG} -gt 0 ]] && openssl x509 -noout -text -in ${CA_CRT_FILE} + [ "${DEBUG_CA_CERT}" = "true" ] && logInfo "show the CA cert details" + [ "${DEBUG_CA_CERT}" = "true" ] && openssl x509 -noout -text -in ${CA_CRT_FILE} - echo 01 > ${CA_SRL_FILE} + echo "01" > ${CA_SRL_FILE} fi @@ -78,8 +76,8 @@ subjectKeyIdentifier = hash EOF ) -[[ ${DEBUG} -gt 0 ]] && logInfo "Show the singing request, to make sure extensions are there" -[[ ${DEBUG} -gt 0 ]] && openssl req -in ia.csr -noout -text +[ "${DEBUG_CA_CERT}" = "true" ] && logInfo "Show the singing request, to make sure extensions are there" +[ "${DEBUG_CA_CERT}" = "true" ] && openssl req -in ia.csr -noout -text logInfo "Sign the IA request with the CA cert and key, producing the IA cert" openssl x509 -req -days 730 -in ia.csr -CA ${CA_CRT_FILE} -CAkey ${CA_KEY_FILE} -CAserial ${CA_SRL_FILE} -out ia.crt -passin pass:foobar -extensions IA -extfile <( @@ -95,8 +93,8 @@ EOF ) &> /dev/null -[[ ${DEBUG} -gt 0 ]] && logInfo "show the IA cert details" -[[ ${DEBUG} -gt 0 ]] && openssl x509 -noout -text -in ia.crt +[ "${DEBUG_CA_CERT}" = "true" ] && logInfo "show the IA cert details" +[ "${DEBUG_CA_CERT}" = "true" ] && openssl x509 -noout -text -in ia.crt logInfo "Initialize the serial number for signed certificates" echo 01 > ia.srl @@ -108,14 +106,14 @@ openssl rsa -passin pass:foobar -in web.orig.key -out web.key &> /dev/null logInfo "Create the signing request, using extensions" openssl req -new -key web.key -sha256 -out web.csr -passin pass:foobar -subj "/C=NL/ST=Noord Holland/L=Amsterdam/O=ME/OU=IT/CN=${CN_WEB}" -reqexts SAN -config <(cat <(printf "[req]\ndistinguished_name = dn\n[dn]\n[SAN]\nsubjectAltName=${ALLDOMAINS}")) -[[ ${DEBUG} -gt 0 ]] && logInfo "Show the singing request, to make sure extensions are there" -[[ ${DEBUG} -gt 0 ]] && openssl req -in web.csr -noout -text +[ "${DEBUG_CA_CERT}" = "true" ] && logInfo "Show the singing request, to make sure extensions are there" +[ "${DEBUG_CA_CERT}" = "true" ] && openssl req -in web.csr -noout -text logInfo "Sign the request, using the intermediate cert and key" openssl x509 -req -days 365 -in web.csr -CA ia.crt -CAkey ia.key -out web.crt -passin pass:foobar -extensions SAN -extfile <(cat <(printf "[req]\ndistinguished_name = dn\n[dn]\n[SAN]\nsubjectAltName=${ALLDOMAINS}")) &> /dev/null -[[ ${DEBUG} -gt 0 ]] && logInfo "Show the final cert details" -[[ ${DEBUG} -gt 0 ]] && openssl x509 -noout -text -in web.crt +[ "${DEBUG_CA_CERT}" = "true" ] && logInfo "Show the final cert details" +[ "${DEBUG_CA_CERT}" = "true" ] && openssl x509 -noout -text -in web.crt logInfo "Concatenating fullchain.pem..." cat web.crt ia.crt ${CA_CRT_FILE} > fullchain.pem