From f1faf3fedfb73784d5459902ac906ed59bbbcdd0 Mon Sep 17 00:00:00 2001 From: Asif Bacchus Date: Sun, 25 Jul 2021 19:18:32 -0600 Subject: [PATCH] feature(generate-cert): allow create self-signed cert - self-signed cert with a group-readable key and customizable hostname --- build/Dockerfile | 12 +++++++---- build/generate-cert.sh | 48 ++++++++++++++++++++++++++++++++++++++++++ build/selfsigned.cnf | 16 ++++++++++++++ 3 files changed, 72 insertions(+), 4 deletions(-) create mode 100644 build/generate-cert.sh create mode 100644 build/selfsigned.cnf diff --git a/build/Dockerfile b/build/Dockerfile index d6261ab..511de51 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -55,8 +55,10 @@ LABEL org.opencontainers.image.vendor="NGINX" LABEL org.opencontainers.image.title="ab-nginx" LABEL org.opencontainers.image.description="NGINX-mainline-alpine with more logical file location layout and automatic SSL set up if certificates are provided." -# copy configuration files -COPY entrypoint.sh /entrypoint.sh +# copy configuration files and utility scripts +COPY entrypoint.sh /usr/local/bin/entrypoint.sh +COPY generate-cert.sh /usr/local/bin/generate-cert +COPY selfsigned.cnf /etc/selfsigned.cnf COPY config /etc/nginx/ COPY sites /etc/nginx/sites/ COPY webroot /usr/share/nginx/html/ @@ -72,7 +74,9 @@ RUN chown -R www-docker:www-docker /usr/share/nginx \ && find /etc/nginx -type d -exec chmod 750 {} \; \ && find /etc/nginx -type f -exec chmod 640 {} \; \ && chown www-docker:www-docker /var/cache/nginx \ - && chown www-docker:www-docker /var/log/nginx + && chown www-docker:www-docker /var/log/nginx \ + && chmod 644 /etc/selfsigned.cnf \ + && chmod 755 /usr/local/bin/generate-cert /usr/local/bin/entrypoint.sh USER www-docker WORKDIR /usr/share/nginx/html @@ -86,7 +90,7 @@ ENV HSTS=FALSE ENV TLS13_ONLY=FALSE # entrypoint script -ENTRYPOINT [ "/entrypoint.sh" ] +ENTRYPOINT [ "/usr/local/bin/entrypoint.sh" ] # run NGINX by default STOPSIGNAL SIGQUIT diff --git a/build/generate-cert.sh b/build/generate-cert.sh new file mode 100644 index 0000000..b62617a --- /dev/null +++ b/build/generate-cert.sh @@ -0,0 +1,48 @@ +#!/bin/sh + +# +# generate a self-signed certificate +# + +# check for null hostname +if [ -z "$1" ]; then + printf "\nPlease supply a hostname for the generated certificate as a parameter to this script. Exiting.\n\n" + exit 1 +fi + +# update openssl configuration file +sed -e "s/{CERT_HOSTNAME}/$1/" /etc/selfsigned.cnf > /tmp/selfsigned.cnf + +printf "\nGenerating self-signed certificate for '%s':\n" "$1" + +# create placeholder files to set permissions +if ! touch /certs/fullchain.pem && chmod 644 /certs/fullchain.pem; then + printf "\nUnable to write to '/certs', is it mounted writable by this container?\n\n" + exit 2 +fi +touch /certs/privkey.pem && chmod 640 /certs/privkey.pem + +# generate certificate +if ! openssl req -new -x509 -days 365 -nodes -out /certs/fullchain.pem -keyout /certs/privkey.pem -config /tmp/selfsigned.cnf; then + printf "\nUnable to generate certificate. Is the '/certs' directory writable by this container?\n\n" + exit 3 +fi +\cp /certs/fullchain.pem /certs/chain.pem + +# print user notification +printf "\n\nA self-signed certificate has been generated and saved in the location mounted to '/certs' in this container.\n" +printf "The certificate and private key are PEM formatted with names 'fullchain.pem' and 'privkey.pem', respectively.\n" +printf "Remember to import 'fullchain.pem' to the trusted store on any client machines or you will get warnings.\n\n" + +# exit gracefully +exit 0 + + +# +# exit codes +# 0: normal exit, no errors +# 1: invalid or missing parameters +# 2: unable to write to certs directory +# 3: unable to generate certificate + +#EOF diff --git a/build/selfsigned.cnf b/build/selfsigned.cnf new file mode 100644 index 0000000..9faedbc --- /dev/null +++ b/build/selfsigned.cnf @@ -0,0 +1,16 @@ +default_bits = 4096 +default_md = sha256 +distinguished_name = dn +req_extensions = san +x509_extensions = san +prompt = no + +[dn] +organizationName = AB-NGINX Webserver +CN = {CERT_HOSTNAME} + +[san] +subjectAltName = @alt_names + +[alt_names] +DNS.1 = {CERT_HOSTNAME}