#!/bin/bash # generate-registry-cert.sh # Script per generare certificati self-signed corretti per Docker Registry # con Subject Alternative Names (SANs) set -e # Parametri REGISTRY_IP=${1:-"192.168.1.204"} REGISTRY_HOSTNAME=${2:-"registry.local"} CERT_DIR=${3:-"/opt/docker-registry/certs"} CERT_DAYS=${4:-365} # Colors RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' BLUE='\033[0;34m' NC='\033[0m' print_success() { echo -e "${GREEN}✓ $1${NC}"; } print_error() { echo -e "${RED}✗ $1${NC}"; } print_info() { echo -e "${BLUE}ℹ $1${NC}"; } if [ "$#" -eq 0 ]; then echo "Uso: $0 [registry_ip] [registry_hostname] [cert_dir] [days]" echo "" echo "Parametri opzionali:" echo " registry_ip - IP del registry (default: 192.168.1.204)" echo " registry_hostname - Hostname del registry (default: registry.local)" echo " cert_dir - Directory certificati (default: /opt/docker-registry/certs)" echo " days - Validità in giorni (default: 365)" echo "" echo "Esempio:" echo " $0 192.168.1.204 registry.local" exit 0 fi print_info "Generazione certificato self-signed per Docker Registry" echo "" print_info "Configurazione:" print_info " IP: $REGISTRY_IP" print_info " Hostname: $REGISTRY_HOSTNAME" print_info " Directory: $CERT_DIR" print_info " Validità: $CERT_DAYS giorni" echo "" # Crea directory se non esiste mkdir -p "$CERT_DIR" # File di output KEY_FILE="$CERT_DIR/domain.key" CERT_FILE="$CERT_DIR/domain.crt" CSR_FILE="$CERT_DIR/domain.csr" CNF_FILE="$CERT_DIR/openssl.cnf" # Crea file di configurazione OpenSSL con SANs cat > "$CNF_FILE" << EOF [req] default_bits = 4096 distinguished_name = req_distinguished_name req_extensions = req_ext x509_extensions = v3_ca prompt = no [req_distinguished_name] C = IT ST = Italy L = City O = Docker Registry OU = IT Department CN = $REGISTRY_HOSTNAME [req_ext] subjectAltName = @alt_names [v3_ca] subjectAltName = @alt_names basicConstraints = critical, CA:TRUE keyUsage = critical, digitalSignature, keyEncipherment, keyCertSign extendedKeyUsage = serverAuth [alt_names] DNS.1 = $REGISTRY_HOSTNAME DNS.2 = localhost IP.1 = $REGISTRY_IP IP.2 = 127.0.0.1 EOF print_info "File di configurazione creato: $CNF_FILE" # Genera chiave privata e certificato print_info "Generazione chiave privata e certificato..." openssl req -newkey rsa:4096 \ -nodes \ -sha256 \ -keyout "$KEY_FILE" \ -x509 \ -days "$CERT_DAYS" \ -config "$CNF_FILE" \ -out "$CERT_FILE" print_success "Certificato generato con successo!" echo "" # Verifica certificato print_info "Verifica certificato:" openssl x509 -in "$CERT_FILE" -text -noout | grep -A 3 "Subject Alternative Name" echo "" print_info "File generati:" print_info " Chiave privata: $KEY_FILE" print_info " Certificato: $CERT_FILE" print_info " Config OpenSSL: $CNF_FILE" echo "" print_info "Prossimi passi:" print_info "" print_info "1. Riavvia il registry Docker con i nuovi certificati:" echo " docker stop registry && docker rm registry" echo " docker run -d \\" echo " -p 5000:5000 \\" echo " --name registry \\" echo " --restart=always \\" echo " -v $CERT_DIR:/certs \\" echo " -v /opt/docker-registry/data:/var/lib/registry \\" echo " -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \\" echo " -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \\" echo " registry:2" echo "" print_info "2. Installa il certificato sui client Docker:" echo " # Su ogni VM che deve accedere al registry:" echo " sudo mkdir -p /etc/docker/certs.d/$REGISTRY_IP:5000" echo " sudo scp root@$REGISTRY_IP:$CERT_FILE /etc/docker/certs.d/$REGISTRY_IP:5000/ca.crt" echo " sudo systemctl restart docker" echo "" print_info "3. (Opzionale) Installa nel sistema per curl/wget:" echo " sudo cp $CERT_FILE /usr/local/share/ca-certificates/registry.crt" echo " sudo update-ca-certificates" echo "" print_success "Setup completato!"