docker-ssl-cert-for_nginx
Create a local certificate - This could be for any site or docker registry
CREATION OF CERTIFICATE
1. Create root.cnf
From the below code replace organizationName and commanName as needed.
# OpenSSL configuration for Root CA
[ req ]
prompt = no
string_mask = default
# The size of the keys in bits:
default_bits = 2048
distinguished_name = req_distinguished_name
x509_extensions = x509_ext
[ req_distinguished_name ]
# Note that the following are in 'reverse order' to what you'd expect to see.
countryName = sg
organizationName = Knowesis
commonName = Local Root CA
[ x509_ext ]
basicConstraints=critical,CA:true,pathlen:0
keyUsage=critical,keyCertSign,cRLSign
2. Execute the below code to create root.key and root.cer files.
openssl req -x509 -new -keyout root.key -out root.cer -config root.cnf
The script will prompt for PEM pass phrase, remember it and it is required later.
3. Create server.cnf file
# OpenSSL configuration for end-entity cert
[ req ]
prompt = no
string_mask = default
# The size of the keys in bits:
default_bits = 2048
distinguished_name = req_distinguished_name
x509_extensions = x509_ext
[ req_distinguished_name ]
# Note that the following are in 'reverse order' to what you'd expect to see.
countryName = sg
organizationName = Knowesis
commonName = mysite.test
[ x509_ext ]
keyUsage=critical,digitalSignature,keyAgreement
subjectAltName = @alt_names
# Multiple Alternate Names are possible
[alt_names]
DNS.1 = siftapp.localhost
DNS.2 = siftapp.test
DNS.3 = release.localhost
DNS.4 = sift.registry
First, Change the organizationName to the same name as set in root.cnf. Update the command name to the server hostname. (which you can set it in /etc/hosts)
Secondly, update the DNS.x to specify the DNS name. This is important as the domain name specified where would be the one used for connecting to the server. (ex docker login sift.registry )
4. Generate the Certificate
openssl x509 -days 3650 -req -in server.csr -CA root.cer -CAkey root.key -set_serial 123 -out server.cer -extfile server.cnf -extensions x509_ext
When prompted password, provide the password which was set earlier.
With this Certificate creation is completed and we can use this in your nginx and other servers as needed.
5. Update the /etc/hosts file to add the DNS entries specified in server.cnf file.
127.0.0.1 siftapp.localhost
127.0.0.1 siftapp.test
127.0.0.1 release.localhost
127.0.0.1 sift.registry
Also update the docker service files to add the extra_hosts of the container
services:
nginx:
image: nginx:1.14.2
container_name: 'nginx'
extra_hosts:
- "siftapp.localhost:127.0.0.1"
- "siftapp.test:127.0.0.1"
- "release.localhost:127.0.0.1"
- "sift.registry:127.0.0.1"
SETTING UP NGINX
Create a .conf file inside the sites folder in nginx or use nginx.conf file to add the following
server {
# listen 80;
listen 443;
server_name 104.215.144.35;
# SSL
ssl on;
ssl_certificate /home/siftuser/sift/nginx/certs/registry.crt;
ssl_certificate_key /home/siftuser/sift/nginx/certs/registry.key;
location /v2/ {
# Do not allow connections from docker 1.5 and earlier
# docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
return 404;
}
# To add basic authentication to v2 use auth_basic setting plus add_header
auth_basic "registry.localhost";
auth_basic_user_file /etc/nginx/conf.d/registry.password;
add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;
proxy_pass http://registry:5000;
proxy_set_header Host $http_host; # required for docker client's sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;
}
}
TEST
Login into docker
docker login sift.registry
Ref:
https://justmarkup.com/articles/2018-05-31-https-valid-certificate-local-domain/