参考链接
可以直接使用如下脚本生成最终的https证书:
调用方式:./certificate.sh -d my.knowdee.com
参数-d用来指定要生成证书的域名
#!/bin/bash
set -e
source ./attachment/script/log.sh
keys=( "-o","--output","-h","--help","-d","--domain","--clean")
POSITIONAL=()
while [[ $# -gt 0 ]]; do
if [[ $1 == -* || $1 == --* ]]; then
key="$1"
if [[ ! "${keys[@]}" =~ "${1}" ]]; then
echo "Error! invalid flag: ${key}"
help="true"
break
fi
# echo "key:"$key"--------------------"
fi
if [[ $2 == -* || $2 == --* ]]; then
shift
# echo "continue:--------------------"
continue
fi
case $key in
-d|--domain)
# echo "input:--------------------$2*******************"
domain=${2:-$domain}
shift # past argument
;;
-o|--output)
output=${2:-$output}
shift # past argument
;;
-h|--help)
help="true"
shift
;;
--clean)
clean="true"
shift
;;
*)
echo "Error! invalid flag: ${key}"
help="true"
break
;;
esac
done
usage () {
echo "USAGE: $0 [--skip data image] [--input /tmp] [--output ./output] [-h] [--clean]"
echo " [-k|--skip] "
echo " data : The process will skip the data resource download "
echo " image : The process will skip the image download "
echo " [-i|--input] The location of the k8s yaml graph file ;If multiple values, the last one works."
echo " 1. The location of the k8s yaml graph file."
echo " 2. default ./input"
echo " 3. If multiple values, the last one works."
echo " [-o|--output] "
echo " 1. The location of the generated install package"
echo " 2. default ./output"
echo " 3. If multiple values, the last one works."
echo " [--clean] clean tmp and output directory"
echo " [-h|--help] Usage message"
}
if [[ $help ]]; then
usage
exit 0
fi
domain=${domain:-"$domain"}
output=${output:-"./output"}
if [[ $clean ]]; then
Log INFO "清理输出目录$output/*和临时目录./tmp"
rm -rf ./tmp $output/*
exit 0
fi
Log INFO "1. 生成证书颁发机构证书"
Log INFO " 1.1 生成CA证书私钥"
openssl genrsa -out $output/ca.key 4096
Log INFO " 1.2 生成CA证书"
Log INFO " 1.2.1. 调整-subj选项中的值以反映您的组织。如果使用FQDN连接Harbor主机,则必须将其指定为通用名称(CN)属性"
Log INFO " 1.2.2. 如果是ip访问, 将 $domain 改成 ip地址"
openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=Beijing/L=Beijing/O=knowdee/OU=yw/CN=$domain" -key $output/ca.key -out $output/ca.crt
Log INFO "2. 生成服务器证书"
Log INFO " 2.1 生成私钥"
openssl genrsa -out $output/$domain.key 4096
Log INFO " 2.2 生成证书签名请求(CSR)"
openssl req -sha512 -new -subj "/C=CN/ST=Beijing/L=Beijing/O=knowdee/OU=yw/CN=$domain" -key $output/$domain.key -out $output/$domain.csr
Log INFO " 2.3 生成一个x509 v3扩展文件"
#无论您使用FQDN还是IP地址连接到Harbor主机,都必须创建此文件,以便可以为您的Harbor主机生成符合主题备用名称(SAN)和x509 v3的证书扩展要求。替换DNS条目以反映您的域
cat > $output/v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=$domain
DNS.2=images.knowdee.com
EOF
# 如果是ip访问
# Copy
# cat > v3.ext <<-EOF
# authorityKeyIdentifier=keyid,issuer
# basicConstraints=CA:FALSE
# keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
# extendedKeyUsage = serverAuth
# subjectAltName = IP:192.168.31.200
# EOF
Log INFO " 2.4 使用该v3.ext文件为您的Harbor主机生成证书"
#生成后ca.crt,harbor.od.com.crt和harbor.od.com.key文件,必须将它们提供给Harbor和docker,重新配置它们
openssl x509 -req -sha512 -days 3650 -extfile $output/v3.ext -CA $output/ca.crt -CAkey $output/ca.key -CAcreateserial -in $output/$domain.csr -out $output/$domain.crt
Log INFO " 3.2 转换harbor.od.com.crt为harbor.od.com.cert,供Docker使用"
#Docker守护程序将.crt文件解释为CA证书,并将.cert文件解释为客户端证书
openssl x509 -inform PEM -in $output/$domain.crt -out $output/$domain.cert
# cp ca.crt $domain.cert $domain.key /etc/docker/certs.d/$domain
log.sh内容如下:
#!/bin/bash
function Log(){
local log_level=$1
local log_info=$2
local line=$3
local script_name=$(basename $0)
case ${log_level} in
"INFO")
echo -e "\033[32m$(date "+%Y-%m-%d %T.%N") [INFO]: ${log_info}\033[0m";;
"WARN")
echo -e "\033[33m$(date "+%Y+%m+%d %T.%N") [WARN]: ${log_info}\033[0m";;
"ERROR")
echo -e "\033[31m$(date "+%Y-%m-%d %T.%N") [ERROR ${script_name} ${FUNCNAME[1]}:$line]: ${log_info}\033[0m";;
*)
echo -e "${@}"
;;
esac
}
