|
|
|
|
# gencert
|
|
|
|
|
|
|
|
|
|
This script generates x509 server certificate (with all IPs in SAN) signed by a
|
|
|
|
|
self-signed CA.
|
|
|
|
|
|
|
|
|
|
## Purpose
|
|
|
|
|
- This script will always produce a self-signed x509 certificate in the
|
|
|
|
|
current path with the IP addresses embedded to x509's SAN.
|
|
|
|
|
It will also produce a CA certificate and can be used by other services
|
|
|
|
|
which may need to authenticate against this self-signed certificate.
|
|
|
|
|
The authentication works in a way that a public CA certificate will be
|
|
|
|
|
used by the client in order to validate the server's certificate.
|
|
|
|
|
|
|
|
|
|
## Application
|
|
|
|
|
### Backend requiring x509 running behind reverse proxy
|
|
|
|
|
- This script has been created in order to ease the Minio's SSE-C
|
|
|
|
|
(Server Side Encryption - Customer provided keys) enablement when
|
|
|
|
|
Minio server is running as a backend behind a reverse proxy like Traefik.
|
|
|
|
|
Minio server enables SSE-C only when it detects the x509 certificates.
|
|
|
|
|
Traefik running with docker service provider talks to the backend using
|
|
|
|
|
the IP. The IP usually is not static, hence this script comes handy.
|
|
|
|
|
|
|
|
|
|
## Example usage
|
|
|
|
|
### Minio server with Traefik example
|
|
|
|
|
|
|
|
|
|
1. Replace ``minio server`` command with the following one:
|
|
|
|
|
``cd /root/.minio/certs && ./gencert.sh --cn minio.example.com && minio server /data``
|
|
|
|
|
2. Copy the CA certificate ``ca.crt`` file to ``/usr/local/share/ca-certificates/`` and
|
|
|
|
|
run ``update-ca-certificates`` command which will update
|
|
|
|
|
``/etc/ssl/certs/ca-certificates.crt`` file;
|
|
|
|
|
3. Restart Traefik.
|
|
|
|
|
|
|
|
|
|
> With the Step 1. Minio server will get the certificate it needs, hence SSE-C
|
|
|
|
|
> will be enabled.
|
|
|
|
|
|
|
|
|
|
> Steps 2. and 3. will need to be repeated each time you get a new CA
|
|
|
|
|
> certificate.
|
|
|
|
|
> These steps can be automated this way:
|
|
|
|
|
> Start Traefik with this command:
|
|
|
|
|
> ``sh -c "update-ca-certificates && traefik"``
|
|
|
|
|
> while ``/usr/local/share/ca-certificates`` container path is mounted from the
|
|
|
|
|
> host with the CA certificate produced by this script.
|
|
|
|
|
|
|
|
|
|
> I am using Alpine Traefik image, the correct ca certificates path is
|
|
|
|
|
> ``/usr/local/share/ca-certificates/``, otherwise one of these
|
|
|
|
|
> https://golang.org/src/crypto/x509/root_linux.go
|
|
|
|
|
|
|
|
|
|
## Script logic
|
|
|
|
|
- generate CA certificate if does not find any
|
|
|
|
|
- always generate server certificate on startup to ensure all IP addresses
|
|
|
|
|
are in x509 SAN
|
|
|
|
|
- warn if the CA certificate is about to expire (<30 days till expiration)
|
|
|
|
|
- regenerate the CA certificate if it finds it has expired
|
|
|
|
|
|
|
|
|
|
## Notes
|
|
|
|
|
- The CA certificate will be valid for 3650 days (10 years)
|
|
|
|
|
- The server certifcate will be valid for 365 days (1 year)
|
|
|
|
|
- The x509 certs are ECDSA with prime256v1 curve and SHA256 signatures
|
|
|
|
|
|
|
|
|
|
## Testing
|
|
|
|
|
|
|
|
|
|
I have added a simplistic script [testme.sh](testme.sh) that helps to test this
|
|
|
|
|
script in the following Linux distributions:
|
|
|
|
|
|
|
|
|
|
- Alpine 3.7
|
|
|
|
|
- Ubuntu Bionic
|
|
|
|
|
- Debian Stretch
|
|
|
|
|
- CentOS 7
|
