diff --git a/Dockerfile b/Dockerfile index 5e87d92..692bfb9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,11 +7,13 @@ RUN apk update \ && apk add --update bash openjdk11-jre-headless~11.0 openssl3 py3-jinja2 py3-yaml\ && rm -rf /var/cache/apk/* -RUN mkdir -p /opt/certs +RUN mkdir -p /opt/scripts -ADD *.sh /opt/certs/ -ADD create_configs.py /opt/certs/ -ADD cert.template /opt/certs/ -WORKDIR /opt/certs +COPY *.sh /opt/scripts +COPY create_configs.py /opt/scripts +COPY cert.template /opt/scripts -CMD ["/opt/certs/run.sh"] +WORKDIR /opt/scripts +ENV CERTDIR=/mnt/certs + +CMD ["/opt/scripts/run.sh"] diff --git a/README.md b/README.md index 3563c24..e8693a4 100644 --- a/README.md +++ b/README.md @@ -83,11 +83,11 @@ Description of the fields: | CN_as_SAN | Add CN as SAN in addition (required by many clients/browsers) - true/false (default: true) | * Pull the docker image (from docker hub) or build locally with `./build_docker_image.sh` -* Run the docker image - you need to mount the `hosts.txt` to `/opt/certs/hosts.txt` and a destination directory where the configs and certificates will be placed to `/opt/certs/current` - e.g.: +* Run the docker image - you need to mount the `hosts.txt` to `/mnt/config/hosts.txt` and a destination directory where the configs and certificates will be placed to `/mnt/certs` - e.g.: ```bash docker run --rm \ --v $(pwd)/hosts.txt:/opt/certs/hosts.txt \ --v $(pwd)/certs:/opt/certs/current \ +-v $(pwd)/hosts.txt:/mnt/config/hosts.txt \ +-v $(pwd)/certs:/mnt/certs \ schmitzi/openssl-alpine-j11:1.0.0 ``` * The following optional parameters can be provided as environment variables using `-e`: diff --git a/build_docker_image.sh b/build_docker_image.sh index 2a01bab..43a37d9 100755 --- a/build_docker_image.sh +++ b/build_docker_image.sh @@ -1,3 +1,3 @@ #!/usr/bin/env bash -docker build ./scripts -t schmitzi/openssl-alpine-j11:1.2.0 -f Dockerfile +docker build ./scripts -t schmitzi/openssl-alpine-j11:1.3.0 -f Dockerfile diff --git a/examples/confluent-platform/run_cp.sh b/examples/confluent-platform/run_cp.sh index 0c0bbeb..c844e7f 100755 --- a/examples/confluent-platform/run_cp.sh +++ b/examples/confluent-platform/run_cp.sh @@ -2,6 +2,6 @@ docker run --rm \ -e PASSWD=changeIt -e DAYS=389 -e DAYS_CA=3650 \ --v $(pwd)/hosts.yml:/opt/certs/hosts.txt \ --v $(pwd)/certs:/opt/certs/current \ -schmitzi/openssl-alpine-j11:1.2.0 +-v $(pwd)/hosts.yml:/mnt/config/hosts.txt \ +-v $(pwd)/certs:/mnt/certs \ +schmitzi/openssl-alpine-j11:1.3.0 diff --git a/examples/csr-test/run_test_yaml.sh b/examples/csr-test/run_test_yaml.sh index cd4a109..68f05e7 100755 --- a/examples/csr-test/run_test_yaml.sh +++ b/examples/csr-test/run_test_yaml.sh @@ -2,6 +2,6 @@ docker run --rm \ -e PREPARE_CSR_ONLY=yes \ --v $(pwd)/hosts.yml:/opt/certs/hosts.txt \ --v $(pwd)/certs:/opt/certs/current \ -schmitzi/openssl-alpine-j11:1.2.0 +-v $(pwd)/hosts.yml:/mnt/config/hosts.txt \ +-v $(pwd)/certs:/mnt/certs \ +schmitzi/openssl-alpine-j11:1.3.0 diff --git a/examples/encrypted-ca-key/run_test.sh b/examples/encrypted-ca-key/run_test.sh index 58073ec..461a489 100755 --- a/examples/encrypted-ca-key/run_test.sh +++ b/examples/encrypted-ca-key/run_test.sh @@ -2,6 +2,6 @@ docker run --rm \ -e CA_KEYPASSWD=xyz123 -e PASSWD=changeIt -e DAYS=389 -e DAYS_CA=3650 \ --v $(pwd)/hosts.yml:/opt/certs/hosts.txt \ --v $(pwd)/certs:/opt/certs/current \ -schmitzi/openssl-alpine-j11:1.2.0 +-v $(pwd)/hosts.yml:/mnt/config/hosts.txt \ +-v $(pwd)/certs:/mnt/certs \ +schmitzi/openssl-alpine-j11:1.3.0 diff --git a/examples/test/run_test_json.sh b/examples/test/run_test_json.sh index 0d74735..752763c 100755 --- a/examples/test/run_test_json.sh +++ b/examples/test/run_test_json.sh @@ -2,6 +2,6 @@ docker run --rm \ -e PASSWD=changeIt -e DAYS=389 -e DAYS_CA=3650 \ --v $(pwd)/hosts.json:/opt/certs/hosts.txt \ --v $(pwd)/certs:/opt/certs/current \ -schmitzi/openssl-alpine-j11:1.2.0 +-v $(pwd)/hosts.json:/mnt/config/hosts.txt \ +-v $(pwd)/certs:/mnt/certs \ +schmitzi/openssl-alpine-j11:1.3.0 diff --git a/examples/test/run_test_yaml.sh b/examples/test/run_test_yaml.sh index 0c0bbeb..c844e7f 100755 --- a/examples/test/run_test_yaml.sh +++ b/examples/test/run_test_yaml.sh @@ -2,6 +2,6 @@ docker run --rm \ -e PASSWD=changeIt -e DAYS=389 -e DAYS_CA=3650 \ --v $(pwd)/hosts.yml:/opt/certs/hosts.txt \ --v $(pwd)/certs:/opt/certs/current \ -schmitzi/openssl-alpine-j11:1.2.0 +-v $(pwd)/hosts.yml:/mnt/config/hosts.txt \ +-v $(pwd)/certs:/mnt/certs \ +schmitzi/openssl-alpine-j11:1.3.0 diff --git a/scripts/check_ca.sh b/scripts/check_ca.sh index 77cc606..72d0f32 100755 --- a/scripts/check_ca.sh +++ b/scripts/check_ca.sh @@ -1,7 +1,7 @@ #!/usr/bin/env bash # Check if the provided CA Key is "encrypted" - using the first line of the ca-root.key file -first_line=$(head -n 1 /opt/certs/current/ca-root.key) +first_line=$(head -n 1 /mnt/certs/ca-root.key) # Check if the first line contains "ENCRYPTED" if [[ "$first_line" == *"ENCRYPTED"* ]]; then @@ -12,14 +12,14 @@ if [[ "$first_line" == *"ENCRYPTED"* ]]; then fi # Capture the modulus of the public certificate -public_modulus=$(openssl x509 -modulus -noout -in /opt/certs/current/ca-root.crt 2>/dev/null | openssl md5) +public_modulus=$(openssl x509 -modulus -noout -in /mnt/certs/ca-root.crt 2>/dev/null | openssl md5) if [[ -z "$CA_KEYPASSWD" ]]; then # Capture the modulus of the private key - private_modulus=$(openssl rsa -modulus -noout -in /opt/certs/current/ca-root.key 2>/dev/null | openssl md5) + private_modulus=$(openssl rsa -modulus -noout -in /mnt/certs/ca-root.key 2>/dev/null | openssl md5) else # Capture the modulus of the private key (with password) - private_modulus=$(openssl rsa -modulus -noout -in /opt/certs/current/ca-root.key -passin pass:$CA_KEYPASSWD 2>/dev/null | openssl md5) + private_modulus=$(openssl rsa -modulus -noout -in /mnt/certs/ca-root.key -passin pass:$CA_KEYPASSWD 2>/dev/null | openssl md5) fi # Compare the two modulis @@ -28,4 +28,4 @@ if [ "$public_modulus" != "$private_modulus" ]; then exit 1 fi -cat current/ca-root.crt > current/ca-root.pem \ No newline at end of file +cat /mnt/certs/ca-root.crt > /mnt/certs/ca-root.pem \ No newline at end of file diff --git a/scripts/create_configs.py b/scripts/create_configs.py index 68a75c1..1474cd8 100755 --- a/scripts/create_configs.py +++ b/scripts/create_configs.py @@ -3,7 +3,7 @@ import yaml # Read hosts input and extract global settings -with open('./hosts.txt') as input_file: +with open('/mnt/config/hosts.txt') as input_file: hosts = yaml.load(input_file, Loader=yaml.FullLoader) globals = hosts['global'] if 'global' in hosts else {} @@ -18,5 +18,5 @@ output_filename = host['fileName']+'.cnf' if 'fileName' in host else host['CN']+'.cnf' - with open('./current/'+output_filename, "w") as out_file: + with open('/mnt/certs/'+output_filename, "w") as out_file: out_file.write(outputCertConfig) diff --git a/scripts/gen_ca.sh b/scripts/gen_ca.sh index 61e4639..d6389a9 100755 --- a/scripts/gen_ca.sh +++ b/scripts/gen_ca.sh @@ -4,14 +4,14 @@ if [[ "$PREPARE_CSR_ONLY" != "yes" ]]; then # Generate Root CA certificates and concatenate to PEM - openssl req -new -nodes -x509 -days ${DAYS_CA} -newkey rsa:2048 -keyout current/ca-root.key -out current/ca-root.crt -config current/ca-root.cnf - cat current/ca-root.crt current/ca-root.key > current/ca-root.pem + openssl req -new -nodes -x509 -days ${DAYS_CA} -newkey rsa:2048 -keyout /mnt/certs/ca-root.key -out /mnt/certs/ca-root.crt -config /mnt/certs/ca-root.cnf + cat /mnt/certs/ca-root.crt /mnt/certs/ca-root.key > /mnt/certs/ca-root.pem # show certificate echo echo "############################" echo "Created CA:" - openssl x509 -in current/ca-root.crt -text + openssl x509 -in /mnt/certs/ca-root.crt -text else echo "Skipping CA generation as it is not required for CSR creation..." fi \ No newline at end of file diff --git a/scripts/gen_new_certs.sh b/scripts/gen_new_certs.sh index e1b7cca..821144d 100755 --- a/scripts/gen_new_certs.sh +++ b/scripts/gen_new_certs.sh @@ -1,6 +1,5 @@ #!/usr/bin/env bash -CERTDIR="current" ROOTCA="ca-root" [[ -z "${DAYS}" ]] && echo "No validity for certs (DAYS) provided - using default 389" && DAYS="389" @@ -48,7 +47,7 @@ done if [[ "$PREPARE_CSR_ONLY" != "yes" ]]; then echo "Creating truststore..." # Create truststore - keytool -keystore current/truststore.jks -alias CARoot \ - -import -file current/ca-root.crt \ + keytool -keystore /mnt/certs/truststore.jks -alias CARoot \ + -import -file /mnt/certs/ca-root.crt \ -storepass ${PASSWD} -noprompt -storetype PKCS12 fi diff --git a/scripts/run.sh b/scripts/run.sh index 6dff159..09c940c 100755 --- a/scripts/run.sh +++ b/scripts/run.sh @@ -1,8 +1,8 @@ #!/usr/bin/env bash echo "Checking for mandatory input files..." -if [ ! -e /opt/certs/hosts.txt ] ; then - echo "Mandatory file /opt/certs/hosts.txt is missing!" +if [ ! -e /mnt/config/hosts.txt ] ; then + echo "Mandatory file /mnt/config/hosts.txt is missing!" exit 1 fi @@ -10,10 +10,10 @@ echo "Creating certificate configurations from template..." ./create_configs.py if [[ "$PREPARE_CSR_ONLY" != "yes" ]]; then - if [ -e /opt/certs/current/ca-root.crt ] && [ -e /opt/certs/current/ca-root.key ]; then + if [ -e /mnt/certs/ca-root.crt ] && [ -e /mnt/certs/ca-root.key ]; then echo "Re-using CA that was provided !" ./check_ca.sh - elif [ -e /opt/certs/current/ca-root.crt ] || [ -e /opt/certs/current/ca-root.key ]; then + elif [ -e /mnt/certs/ca-root.crt ] || [ -e /mnt/certs/ca-root.key ]; then echo "ERROR: Missing CA Cert or Key file. Please provide both or none." exit 1 else