#!/bin/bash if [ ! -f /data/certificates/certs/opensearch-ca.key ] then echo "generating CA" mkdir -p /data/certificates/certs/ openssl genrsa -out /data/certificates/certs/opensearch-ca.key 2048 openssl req -new -x509 -sha256 -days 3650 -subj "/C=US/ST=NY/L=IT/O=security/CN=opensearch-ca" -key /data/certificates/certs/opensearch-ca.key -out /data/certificates/certs/opensearch-ca.pem openssl x509 -noout -subject -in /data/certificates/certs/opensearch-ca.pem fi if [ ! -f /data/certificates/certs/opensearch-admin.key ] then echo "generating admin user key" mkdir -p /data/certificates/certs/ openssl genrsa -out /data/certificates/certs/opensearch-admin_rsa.key 2048 openssl pkcs8 -v1 PBE-SHA1-3DES -nocrypt -in /data/certificates/certs/opensearch-admin_rsa.key -topk8 -out /data/certificates/certs/opensearch-admin.key openssl req -new -inform PEM -outform PEM -subj "/C=US/ST=NY/L=IT/O=security/CN=admin" -key /data/certificates/certs/opensearch-admin.key -out /data/certificates/certs/opensearch-admin.csr openssl x509 -req -days 3650 -in /data/certificates/certs/opensearch-admin.csr -CA /data/certificates/certs/opensearch-ca.pem -CAkey /data/certificates/certs/opensearch-ca.key -CAcreateserial -sha256 -out /data/certificates/certs/opensearch-admin.pem #openssl verify -CAfile /data/certificates/certs/opensearch-ca.pem /data/certificates/certs/opensearch-admin.pem #openssl x509 -noout -subject -in /data/certificates/certs/opensearch-admin.pem fi if [ ! -f /data/opensearch-node1/certs/opensearch-node1.key ] then for NODE_NAME in "node1" "node2" do echo "generating certificate opensearch-$NODE_NAME" mkdir -p /data/opensearch-$NODE_NAME/certs/ cat << EOF > /tmp/request.conf [req] distinguished_name = req_distinguished_name req_extensions = v3_req prompt = no [req_distinguished_name] C = US ST = NY L = IT O = security CN = opensearch-$NODE_NAME [v3_req] keyUsage = keyEncipherment, dataEncipherment, digitalSignature, nonRepudiation extendedKeyUsage = serverAuth, clientAuth subjectAltName = @alt_names [alt_names] DNS.1 = docker-cluster DNS.2 = opensearch-$NODE_NAME RID.1 = 1.2.3.4.5.5 EOF openssl genrsa -out /data/opensearch-$NODE_NAME/certs/opensearch-$NODE_NAME-rsa.key 2048 openssl pkcs8 -inform PEM -outform PEM -in /data/opensearch-$NODE_NAME/certs/opensearch-$NODE_NAME-rsa.key -topk8 -nocrypt -v1 PBE-SHA1-3DES -out /data/opensearch-$NODE_NAME/certs/opensearch-$NODE_NAME.key openssl req -new -config /tmp/request.conf -key /data/opensearch-$NODE_NAME/certs/opensearch-$NODE_NAME.key -out /data/opensearch-$NODE_NAME/certs/opensearch-$NODE_NAME.csr openssl x509 -req -days 3650 -extfile /tmp/request.conf -extensions v3_req -in /data/opensearch-$NODE_NAME/certs/opensearch-$NODE_NAME.csr -CA /data/certificates/certs/opensearch-ca.pem -CAkey /data/certificates/certs/opensearch-ca.key -CAcreateserial -sha256 -out /data/opensearch-$NODE_NAME/certs/opensearch-$NODE_NAME.pem cp /data/certificates/certs/opensearch-ca.pem /data/opensearch-$NODE_NAME/certs/ cp /data/certificates/certs/opensearch-admin.pem /data/opensearch-$NODE_NAME/certs/ cp /data/certificates/certs/opensearch-admin.key /data/opensearch-$NODE_NAME/certs/ #openssl verify -CAfile /data/opensearch-$NODE_NAME/certs/opensearch-ca.pem /data/opensearch-$NODE_NAME/certs/opensearch-$NODE_NAME.pem #openssl x509 -text -in /data/opensearch-$NODE_NAME/certs/opensearch-$NODE_NAME.pem done fi if [ ! -f /data/traefik/certs/traefik.key ] then echo "generating certificate traefik" mkdir -p /data/traefik/certs/ cat << EOF > /tmp/request.conf [req] distinguished_name = req_distinguished_name req_extensions = v3_req prompt = no [req_distinguished_name] C = US ST = NY L = IT O = security CN = opensearch-lab [v3_req] keyUsage = keyEncipherment, dataEncipherment, digitalSignature, nonRepudiation extendedKeyUsage = serverAuth, clientAuth subjectAltName = @alt_names [alt_names] DNS.1 = traefik.local DNS.2 = opensearch.local DNS.3 = grafana.local EOF ##openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout /data/traefik/certs/server.key -out /data/traefik/certs/server.crt -subj "/C=US/ST=NY/L=IT/O=security/CN=logger" #openssl genrsa -out /data/traefik/certs/traefik_rsa.key 2048 #openssl pkcs8 -inform PEM -outform PEM -in /data/traefik/certs/traefik_rsa.key -topk8 -nocrypt -v1 PBE-SHA1-3DES -out /data/traefik/certs/traefik.key #openssl req -new -subj "/C=US/ST=NY/L=IT/O=security/CN=traefik" -key /data/traefik/certs/traefik.key -out /data/traefik/certs/traefik.csr #openssl x509 -req -days 3650 -in /data/traefik/certs/traefik.csr -CA /data/certificates/certs/opensearch-ca.pem -CAkey /data/certificates/certs/opensearch-ca.key -CAcreateserial -sha256 -out /data/traefik/certs/traefik.pem #openssl verify -CAfile /data/certificates/certs/opensearch-ca.pem /data/traefik/certs/traefik.pem #openssl x509 -noout -subject -in /data/traefik/certs/traefik.pem openssl genrsa -out /data/traefik/certs/server_rsa.key 2048 openssl pkcs8 -inform PEM -outform PEM -in /data/traefik/certs/server_rsa.key -topk8 -nocrypt -v1 PBE-SHA1-3DES -out /data/traefik/certs/server.key openssl req -new -config /tmp/request.conf -key /data/traefik/certs/server.key -out /data/traefik/certs/server.csr openssl x509 -req -days 3650 -extfile /tmp/request.conf -extensions v3_req -in /data/traefik/certs/server.csr -CA /data/certificates/certs/opensearch-ca.pem -CAkey /data/certificates/certs/opensearch-ca.key -CAcreateserial -sha256 -out /data/traefik/certs/server.pem #openssl verify -CAfile /data/traefik/certs/server.pem /data/traefik/certs/server.pem #openssl x509 -text -in /data/traefik/certs/server.pem fi sleep 2