generate self-signed certificate

This commit is contained in:
Wenkai Yin 2016-11-16 18:49:09 +08:00
parent 6d901e2335
commit ce56ff2fae
3 changed files with 99 additions and 17 deletions

View File

@ -85,6 +85,6 @@ crt_email = example@example.com
#The path of cert and key files for nginx, they are applied only the protocol is set to https #The path of cert and key files for nginx, they are applied only the protocol is set to https
ssl_cert = /data/server.crt ssl_cert = /data/cert/server.crt
ssl_cert_key = /data/server.key ssl_cert_key = /data/cert/server.key
############# #############

View File

@ -19,8 +19,20 @@ attrs=(
self_registration self_registration
) )
cert=/data/cert/server.crt
key=/data/cert/server.key
csr=/data/cert/server.csr
ca_cert=/data/cert/ca.crt
ca_key=/data/cert/ca.key
ext=/data/cert/extfile.cnf
hostname=""
base_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )/../" && pwd )" base_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )/../" && pwd )"
isFQDN=true
flag=$base_dir/cert_gen_type
#The location of harbor.cfg #The location of harbor.cfg
cfg=$base_dir/harbor/harbor.cfg cfg=$base_dir/harbor/harbor.cfg
@ -35,10 +47,82 @@ function format {
echo $tail >> $file echo $tail >> $file
} }
function genCert {
if [ ! -e $ca_cert ] || [ ! -e $ca_key ]
then
openssl req -newkey rsa:4096 -nodes -sha256 -keyout $ca_key \
-x509 -days 365 -out $ca_cert -subj \
"/C=US/ST=California/L=Palo Alto/O=VMware/OU=CA/CN=CA"
fi
openssl req -newkey rsa:4096 -nodes -sha256 -keyout $key \
-out $csr -subj \
"/C=US/ST=California/L=Palo Alto/O=VMware/OU=Harbor/CN=$hostname"
if [ "$isFQDN" = false ]
then
echo "Add subjectAltName = IP: $hostname to certificate"
echo subjectAltName = IP:$hostname > $ext
#openssl x509 -req -days 365 -in $csr -signkey $key -extfile $ext -out $cert
openssl x509 -req -days 365 -in $csr -CA $ca_cert -CAkey $ca_key -CAcreateserial -extfile $ext -out $cert
else
#openssl x509 -req -days 365 -in $csr -signkey $key -out $cert
openssl x509 -req -days 365 -in $csr -CA $ca_cert -CAkey $ca_key -CAcreateserial -out $cert
fi
echo "self-signed" > $flag
}
function secure {
echo "Read attribute using ovfenv: [ ssl_cert ]"
ssl_cert=$(ovfenv -k ssl_cert)
echo "Read attribute using ovfenv: [ ssl_cert_key ]"
ssl_cert_key=$(ovfenv -k ssl_cert_key)
if [ -n "$ssl_cert" ] && [ -n "$ssl_cert_key" ]
then
echo "ssl_cert and ssl_cert_key are both set, using customized certificate"
echo $ssl_cert > $cert
format $cert
echo $ssl_cert_key > $key
format $key
echo "customized" > $flag
return
fi
if [ ! -e $cert ] || [ ! -e $key ]
then
echo "Certificate or key file does not exist, will generate a self-signed certificate"
genCert
return
fi
if [ ! -e $flag ]
then
echo "The file which records the way generating certificate does not exist, will generate a new self-signed certificate"
genCert
return
fi
if [ ! $(cat $flag) = "self-signed" ]
then
echo "The way generating certificate changed, will generate a new self-signed certificate"
genCert
return
fi
cn=$(openssl x509 -noout -subject -in $cert | sed -n '/^subject/s/^.*CN=//p') || true
if [ "$hostname" != "$cn" ]
then
echo "Common name changed: $cn -> $hostname , will generate a new self-signed certificate"
genCert
return
fi
echo "Use the existing certificate and key file"
}
#Modify hostname #Modify hostname
hostname=$(hostname --fqdn) || true hostname=$(hostname --fqdn) || true
if [ -z "$hostname" ] if [ -z "$hostname" ]
then then
isFQDN=false
hostname=$(ip addr show eth0|grep "inet "|tr -s ' '|cut -d ' ' -f 3|cut -d '/' -f 1) hostname=$(ip addr show eth0|grep "inet "|tr -s ' '|cut -d ' ' -f 3|cut -d '/' -f 1)
fi fi
@ -52,22 +136,19 @@ else
fi fi
#Handle http/https #Handle http/https
protocol=http echo "Read attribute using ovfenv: [ protocol ]"
echo "Read attribute using ovfenv: [ ssl_cert ]" protocol=$(ovfenv -k protocol)
ssl_cert=$(ovfenv -k ssl_cert) if [ -z $protocol ]
echo "Read attribute using ovfenv: [ ssl_cert_key ]"
ssl_cert_key=$(ovfenv -k ssl_cert_key)
if [ -n "$ssl_cert" ] && [ -n "$ssl_cert_key" ]
then then
echo "ssl_cert and ssl_cert_key are set, using HTTPS protocol"
protocol=https protocol=https
sed -i -r s%"#?ui_url_protocol\s*=\s*.*"%"ui_url_protocol = $protocol"% $cfg fi
echo $ssl_cert > /data/server.crt
format /data/server.crt echo "Protocol: $protocol"
echo $ssl_cert_key > /data/server.key sed -i -r s%"#?ui_url_protocol\s*=\s*.*"%"ui_url_protocol = $protocol"% $cfg
format /data/server.key
else if [ $protocol = "https" ]
echo "ssl_cert and ssl_cert_key are not set, using HTTP protocol" then
secure
fi fi
for attr in "${attrs[@]}" for attr in "${attrs[@]}"

View File

@ -46,6 +46,7 @@ then
fi fi
#Configure other attrs #Configure other attrs
mkdir -p /data/cert/
configure configure
#Start Harbor #Start Harbor