feature(generate-cert): allow create self-signed cert

- self-signed cert with a group-readable key and customizable hostname
This commit is contained in:
Asif Bacchus 2021-07-25 19:18:32 -06:00
parent 4ded854631
commit f1faf3fedf
3 changed files with 72 additions and 4 deletions

View File

@ -55,8 +55,10 @@ LABEL org.opencontainers.image.vendor="NGINX"
LABEL org.opencontainers.image.title="ab-nginx" LABEL org.opencontainers.image.title="ab-nginx"
LABEL org.opencontainers.image.description="NGINX-mainline-alpine with more logical file location layout and automatic SSL set up if certificates are provided." LABEL org.opencontainers.image.description="NGINX-mainline-alpine with more logical file location layout and automatic SSL set up if certificates are provided."
# copy configuration files # copy configuration files and utility scripts
COPY entrypoint.sh /entrypoint.sh COPY entrypoint.sh /usr/local/bin/entrypoint.sh
COPY generate-cert.sh /usr/local/bin/generate-cert
COPY selfsigned.cnf /etc/selfsigned.cnf
COPY config /etc/nginx/ COPY config /etc/nginx/
COPY sites /etc/nginx/sites/ COPY sites /etc/nginx/sites/
COPY webroot /usr/share/nginx/html/ COPY webroot /usr/share/nginx/html/
@ -72,7 +74,9 @@ RUN chown -R www-docker:www-docker /usr/share/nginx \
&& find /etc/nginx -type d -exec chmod 750 {} \; \ && find /etc/nginx -type d -exec chmod 750 {} \; \
&& find /etc/nginx -type f -exec chmod 640 {} \; \ && find /etc/nginx -type f -exec chmod 640 {} \; \
&& chown www-docker:www-docker /var/cache/nginx \ && chown www-docker:www-docker /var/cache/nginx \
&& chown www-docker:www-docker /var/log/nginx && chown www-docker:www-docker /var/log/nginx \
&& chmod 644 /etc/selfsigned.cnf \
&& chmod 755 /usr/local/bin/generate-cert /usr/local/bin/entrypoint.sh
USER www-docker USER www-docker
WORKDIR /usr/share/nginx/html WORKDIR /usr/share/nginx/html
@ -86,7 +90,7 @@ ENV HSTS=FALSE
ENV TLS13_ONLY=FALSE ENV TLS13_ONLY=FALSE
# entrypoint script # entrypoint script
ENTRYPOINT [ "/entrypoint.sh" ] ENTRYPOINT [ "/usr/local/bin/entrypoint.sh" ]
# run NGINX by default # run NGINX by default
STOPSIGNAL SIGQUIT STOPSIGNAL SIGQUIT

48
build/generate-cert.sh Normal file
View File

@ -0,0 +1,48 @@
#!/bin/sh
#
# generate a self-signed certificate
#
# check for null hostname
if [ -z "$1" ]; then
printf "\nPlease supply a hostname for the generated certificate as a parameter to this script. Exiting.\n\n"
exit 1
fi
# update openssl configuration file
sed -e "s/{CERT_HOSTNAME}/$1/" /etc/selfsigned.cnf > /tmp/selfsigned.cnf
printf "\nGenerating self-signed certificate for '%s':\n" "$1"
# create placeholder files to set permissions
if ! touch /certs/fullchain.pem && chmod 644 /certs/fullchain.pem; then
printf "\nUnable to write to '/certs', is it mounted writable by this container?\n\n"
exit 2
fi
touch /certs/privkey.pem && chmod 640 /certs/privkey.pem
# generate certificate
if ! openssl req -new -x509 -days 365 -nodes -out /certs/fullchain.pem -keyout /certs/privkey.pem -config /tmp/selfsigned.cnf; then
printf "\nUnable to generate certificate. Is the '/certs' directory writable by this container?\n\n"
exit 3
fi
\cp /certs/fullchain.pem /certs/chain.pem
# print user notification
printf "\n\nA self-signed certificate has been generated and saved in the location mounted to '/certs' in this container.\n"
printf "The certificate and private key are PEM formatted with names 'fullchain.pem' and 'privkey.pem', respectively.\n"
printf "Remember to import 'fullchain.pem' to the trusted store on any client machines or you will get warnings.\n\n"
# exit gracefully
exit 0
#
# exit codes
# 0: normal exit, no errors
# 1: invalid or missing parameters
# 2: unable to write to certs directory
# 3: unable to generate certificate
#EOF

16
build/selfsigned.cnf Normal file
View File

@ -0,0 +1,16 @@
default_bits = 4096
default_md = sha256
distinguished_name = dn
req_extensions = san
x509_extensions = san
prompt = no
[dn]
organizationName = AB-NGINX Webserver
CN = {CERT_HOSTNAME}
[san]
subjectAltName = @alt_names
[alt_names]
DNS.1 = {CERT_HOSTNAME}