RPJosh
/
docker-registry-proxy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Cleanup: Add debugging mode for creating CA certificates

pull/79/head
gw0 2021-02-18 16:30:04 +01:00
parent b115f70711
commit 487315e991
2 changed files with 14 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Dockerfile
View File

@ -66,12 +66,15 @@ ENV REGISTRIES="docker.caching.proxy.internal registry-1.docker.io auth.docker.i
ENV AUTH_REGISTRIES="" ENV AUTH_REGISTRIES=""
# Should we verify upstream's certificates? Default to true. # Should we verify upstream's certificates? Default to true.
ENV VERIFY_SSL="true" ENV VERIFY_SSL="true"
# Enable debugging mode; this inserts mitmproxy/mitmweb between the CONNECT proxy and the caching layer # Enable debugging mode; this inserts mitmproxy/mitmweb between the CONNECT proxy and the caching layer
ENV DEBUG="false" ENV DEBUG="false"
# Enable debugging mode; this inserts mitmproxy/mitmweb between the caching layer and DockerHub's registry # Enable debugging mode; this inserts mitmproxy/mitmweb between the caching layer and DockerHub's registry
ENV DEBUG_HUB="false" ENV DEBUG_HUB="false"
# Enable nginx debugging mode; this uses nginx-debug binary and enabled debug logging, which is VERY verbose so separate setting # Enable nginx debugging mode; this uses nginx-debug binary and enabled debug logging, which is VERY verbose so separate setting
ENV DEBUG_NGINX="false" ENV DEBUG_NGINX="false"
# Enable debugging mode for creating CA certificate
ENV DEBUG_CA_CERT="false"
# Set Docker Registry cache size, by default, 32 GB ('32g') # Set Docker Registry cache size, by default, 32 GB ('32g')
ENV CACHE_MAX_SIZE="32g" ENV CACHE_MAX_SIZE="32g"

24
create_ca_cert.sh
View File

@ -2,8 +2,6 @@
set -Eeuo pipefail set -Eeuo pipefail
declare -i DEBUG=0
logInfo() { logInfo() {
echo "INFO: $@" echo "INFO: $@"
} }
@ -53,10 +51,10 @@ subjectKeyIdentifier = hash
EOF EOF
) )
[[ ${DEBUG} -gt 0 ]] && logInfo "show the CA cert details" [ "${DEBUG_CA_CERT}" = "true" ] && logInfo "show the CA cert details"
[[ ${DEBUG} -gt 0 ]] && openssl x509 -noout -text -in ${CA_CRT_FILE} [ "${DEBUG_CA_CERT}" = "true" ] && openssl x509 -noout -text -in ${CA_CRT_FILE}
echo 01 > ${CA_SRL_FILE} echo "01" > ${CA_SRL_FILE}
fi fi
@ -78,8 +76,8 @@ subjectKeyIdentifier = hash
EOF EOF
) )
[[ ${DEBUG} -gt 0 ]] && logInfo "Show the singing request, to make sure extensions are there" [ "${DEBUG_CA_CERT}" = "true" ] && logInfo "Show the singing request, to make sure extensions are there"
[[ ${DEBUG} -gt 0 ]] && openssl req -in ia.csr -noout -text [ "${DEBUG_CA_CERT}" = "true" ] && openssl req -in ia.csr -noout -text
logInfo "Sign the IA request with the CA cert and key, producing the IA cert" logInfo "Sign the IA request with the CA cert and key, producing the IA cert"
openssl x509 -req -days 730 -in ia.csr -CA ${CA_CRT_FILE} -CAkey ${CA_KEY_FILE} -CAserial ${CA_SRL_FILE} -out ia.crt -passin pass:foobar -extensions IA -extfile <( openssl x509 -req -days 730 -in ia.csr -CA ${CA_CRT_FILE} -CAkey ${CA_KEY_FILE} -CAserial ${CA_SRL_FILE} -out ia.crt -passin pass:foobar -extensions IA -extfile <(
@ -95,8 +93,8 @@ EOF
) &> /dev/null ) &> /dev/null
[[ ${DEBUG} -gt 0 ]] && logInfo "show the IA cert details" [ "${DEBUG_CA_CERT}" = "true" ] && logInfo "show the IA cert details"
[[ ${DEBUG} -gt 0 ]] && openssl x509 -noout -text -in ia.crt [ "${DEBUG_CA_CERT}" = "true" ] && openssl x509 -noout -text -in ia.crt
logInfo "Initialize the serial number for signed certificates" logInfo "Initialize the serial number for signed certificates"
echo 01 > ia.srl echo 01 > ia.srl
@ -108,14 +106,14 @@ openssl rsa -passin pass:foobar -in web.orig.key -out web.key &> /dev/null
logInfo "Create the signing request, using extensions" logInfo "Create the signing request, using extensions"
openssl req -new -key web.key -sha256 -out web.csr -passin pass:foobar -subj "/C=NL/ST=Noord Holland/L=Amsterdam/O=ME/OU=IT/CN=${CN_WEB}" -reqexts SAN -config <(cat <(printf "[req]\ndistinguished_name = dn\n[dn]\n[SAN]\nsubjectAltName=${ALLDOMAINS}")) openssl req -new -key web.key -sha256 -out web.csr -passin pass:foobar -subj "/C=NL/ST=Noord Holland/L=Amsterdam/O=ME/OU=IT/CN=${CN_WEB}" -reqexts SAN -config <(cat <(printf "[req]\ndistinguished_name = dn\n[dn]\n[SAN]\nsubjectAltName=${ALLDOMAINS}"))
[[ ${DEBUG} -gt 0 ]] && logInfo "Show the singing request, to make sure extensions are there" [ "${DEBUG_CA_CERT}" = "true" ] && logInfo "Show the singing request, to make sure extensions are there"
[[ ${DEBUG} -gt 0 ]] && openssl req -in web.csr -noout -text [ "${DEBUG_CA_CERT}" = "true" ] && openssl req -in web.csr -noout -text
logInfo "Sign the request, using the intermediate cert and key" logInfo "Sign the request, using the intermediate cert and key"
openssl x509 -req -days 365 -in web.csr -CA ia.crt -CAkey ia.key -out web.crt -passin pass:foobar -extensions SAN -extfile <(cat <(printf "[req]\ndistinguished_name = dn\n[dn]\n[SAN]\nsubjectAltName=${ALLDOMAINS}")) &> /dev/null openssl x509 -req -days 365 -in web.csr -CA ia.crt -CAkey ia.key -out web.crt -passin pass:foobar -extensions SAN -extfile <(cat <(printf "[req]\ndistinguished_name = dn\n[dn]\n[SAN]\nsubjectAltName=${ALLDOMAINS}")) &> /dev/null
[[ ${DEBUG} -gt 0 ]] && logInfo "Show the final cert details" [ "${DEBUG_CA_CERT}" = "true" ] && logInfo "Show the final cert details"
[[ ${DEBUG} -gt 0 ]] && openssl x509 -noout -text -in web.crt [ "${DEBUG_CA_CERT}" = "true" ] && openssl x509 -noout -text -in web.crt
logInfo "Concatenating fullchain.pem..." logInfo "Concatenating fullchain.pem..."
cat web.crt ia.crt ${CA_CRT_FILE} > fullchain.pem cat web.crt ia.crt ${CA_CRT_FILE} > fullchain.pem