2
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 1 year has passed since last update.

Dockerfile内でオレオレ認証局を作成する話

Last updated at Posted at 2023-06-14

dockerさん、オレだよ!オレオレ!!

あまり関係ない始まりですが、Dockerfile内でオレオレ認証局を作成する話をします。
もっと簡単な方法はあると思いますが、レッツトライ。

といってもめんどうだからとりあえずババンとDockerfileの必要部分を抜き出して書いちゃいます。

Dockerfile
FROM rockylinux/rockylinux:8


COPY certs/ca.key /etc/pki/CA/private/
RUN  mkdir -p /selfcerts/;
COPY files/self-certs-settings/openssl-ca.cnf /selfcerts/
RUN  openssl req -new -x509 -days 3650 -sha256 -key /etc/pki/CA/private/ca.key -subj "/C=JP/ST=prefecture/L=city/O=companyname/CN=server.name" -out /etc/pki/CA/ca.crt -config /selfcerts/openssl-ca.cnf
RUN  cp /etc/pki/CA/ca.crt /usr/share/pki/ca-trust-source/anchors/
RUN  update-ca-trust extfile
RUN  openssl x509 -inform pem -in /etc/pki/CA/ca.crt -outform der -out /selfcerts/ca.der
COPY certs/server.key /selfcerts/server.key
COPY files/self-certs-settings/openssl-server.cnf /selfcerts/openssl-server.cnf
COPY files/self-certs-settings/sans_temp.cnf /selfcerts/sans_temp.cnf
RUN  openssl req -new -key /selfcerts/server.key -sha256 -subj "/C=JP/ST=prefecture/L=city/O=companyname/CN=server.name" -config /selfcerts/openssl-server.cnf -out /selfcerts/server.csr
RUN  mkdir -p /etc/pki/CA/newcerts ; touch /etc/pki/CA/index.txt ; echo '0001' >> /etc/pki/CA/serial
RUN  yes| openssl ca -in /selfcerts/server.csr -keyfile /etc/pki/CA/private/ca.key -cert /etc/pki/CA/ca.crt -config /selfcerts/openssl-server.cnf -extfile /selfcerts/sans_temp.cnf -out /selfcerts/server.crt
RUN sed -i "s/#ServerName www\.example\.com/ServerName server.name/g" /etc/httpd/conf.d/ssl.conf

では、分割してみていきましょう。

Dockerfile
COPY certs/ca.key /etc/pki/CA/private/

あれ、もう既にCAのキーを作ってありますね、キーの作り方は

make_keys.sh
#!/bin/bash
mkdir -p ./certs/
sudo rm -f ./certs/server.key ./certs/ca.key
sudo openssl genrsa -des3 -out ./certs/ca.key 2048 -config ./files/self-certs-settings/openssl-ca.cnf
sudo openssl rsa -in ./certs/ca.key -out ./certs/ca.key
sudo openssl genrsa 2048 > ./certs/server.key
sudo openssl rsa -in ./certs/server.key -out ./certs/server.key
sudo chown ${USER}:${USER} ./certs/server.key ./certs/ca.key
sudo chmod 400 ./certs/server.key ./certs/ca.key

./files/self-certs-settings/openssl-ca.cnfは設定ファイルです、適切な値を入れて置いてください。

Dockerfile
RUN  mkdir -p /selfcerts/;

は良いですね?

Dockerfile
COPY files/self-certs-settings/openssl-ca.cnf /selfcerts/

これもOKですね?

Dockerfile
RUN  openssl req -new -x509 -days 3650 -sha256 -key /etc/pki/CA/private/ca.key -subj "/C=JP/ST=prefecture/L=city/O=companyname/CN=server.name" -out /etc/pki/CA/ca.crt -config /selfcerts/openssl-ca.cnf

ここが第一関門です、国名やサーバ名をここで指定します。

Dockerfile
RUN  cp /etc/pki/CA/ca.crt /usr/share/pki/ca-trust-source/anchors/
RUN  update-ca-trust extfile

これも良いですね?

Dockerfile
RUN  openssl x509 -inform pem -in /etc/pki/CA/ca.crt -outform der -out /selfcerts/ca.der
COPY certs/server.key /selfcerts/server.key
COPY files/self-certs-settings/openssl-server.cnf /selfcerts/openssl-server.cnf

これも問題ないないと思います。openssl-server.cnfも設定しておいてください。

Dockerfile
COPY files/self-certs-settings/sans_temp.cnf /selfcerts/sans_temp.cnf

これなんですが、このsans_tmp.cnf

sans_temp.cnf
subjectAltName=@subject_alt_names
[ subject_alt_names ]
DNS.1 = server.name

のように書いておきます。これは結構苦労しました。

Dockerfile
RUN  openssl req -new -key /selfcerts/server.key -sha256 -subj "/C=JP/ST=prefecture/L=city/O=companyname/CN=server.name" -config /selfcerts/openssl-server.cnf -out /selfcerts/server.csr

これもOKですよね?

Dockerfile
RUN  mkdir -p /etc/pki/CA/newcerts ; touch /etc/pki/CA/index.txt ; echo '0001' >> /etc/pki/CA/serial

このserialはDokcerfileを使用してビルドするたびにインクリメントしないといけません。ご注意を。
でないとFirefoxでエラーになります。

Dockerfile
RUN  yes| openssl ca -in /selfcerts/server.csr -keyfile /etc/pki/CA/private/ca.key -cert /etc/pki/CA/ca.crt -config /selfcerts/openssl-server.cnf -extfile /selfcerts/sans_temp.cnf -out /selfcerts/server.crt

ここもかなり苦労しましたが、yesを入力しないと先に進まないのでyesコマンドを使います。

Dockerfile
RUN sed -i "s/#ServerName www\.example\.com/ServerName server.name/g" /etc/httpd/conf.d/ssl.conf

と、apacheの設定も変えないといけません。

これで動くはずです。

お試しあれ!!

2
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
2
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?