Add environment variable for SSL expiry days & update Dockerfile

dockertls/Dockerfile

@@ -1,20 +1,20 @@
-FROM microsoft/nanoserver:10.0.14393.2068
-
+# escape=`
+FROM microsoft/windowsservercore:ltsc2016
 SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]
 
 ENV VERSION 2.5.5
 
 ENV LIBRESSLPATH C:\libressl
 
-RUN [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; \
-  Invoke-WebRequest "https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-$Env:VERSION-windows.zip" -OutFile libressl.zip -UseBasicParsing ; \
-	Expand-Archive libressl.zip -DestinationPath $Env:Temp ; \
-	New-Item -ItemType Directory -Path $Env:LIBRESSLPATH ; \
-	Copy-Item $Env:Temp\libressl-$Env:VERSION-windows\x64\* $Env:LIBRESSLPATH\. ; \
-	Remove-Item $Env:LIBRESSLPATH\*.pdb ; \
-	$newPath = ('{0};{1}' -f $Env:LIBRESSLPATH, $Env:PATH); \
-	Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\' -Name Path -Value $newPath ; \
-	Remove-Item $Env:Temp\libressl-$Env:VERSION-windows, libressl.zip -Force -Recurse ; \
+RUN [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; `
+  	Invoke-WebRequest "https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-$Env:VERSION-windows.zip" -OutFile libressl.zip -UseBasicParsing ; `
+	Expand-Archive libressl.zip -DestinationPath $Env:Temp ; `
+	New-Item -ItemType Directory -Path $Env:LIBRESSLPATH ; `
+	Copy-Item $Env:Temp\libressl-$Env:VERSION-windows\x64\* $Env:LIBRESSLPATH\. ; `
+	Remove-Item $Env:LIBRESSLPATH\*.pdb ; `
+	$newPath = ('{0};{1}' -f $Env:LIBRESSLPATH, $Env:PATH); `
+	Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\' -Name Path -Value $newPath ; `
+	Remove-Item $Env:Temp\libressl-$Env:VERSION-windows, libressl.zip -Force -Recurse ; `
 	New-Item -ItemType Directory -Path $Env:LIBRESSLPATH\ssl
 
 COPY openssl.cnf $LIBRESSLPATH/ssl/.

dockertls/README.md

@@ -16,6 +16,7 @@ mkdir client\.docker
 docker run --rm `
   -e SERVER_NAME=$(hostname) `
   -e IP_ADDRESSES=127.0.0.1,192.168.254.135 `
+  -e SSL_EXPIRY_DAYS=730 `
   -v "$(pwd)\server:c:\programdata\docker" `
   -v "$(pwd)\client\.docker:c:\users\containeradministrator\.docker" stefanscherer/dockertls-windows
 dir server\certs.d

dockertls/generate-certs.ps1

@@ -5,6 +5,7 @@ $Global:caPrivateKeyPassFile = ($Global:DockerSSLCARoot + "ca-key-pass.txt")
 $Global:caPrivateKeyPass = ""
 $Global:caPrivateKeyFile = ($Global:DockerSSLCARoot + "ca-key.pem")
 $Global:caPublicKeyFile = ($Global:DockerSSLCARoot + "ca.pem")
+$Global:sslExpiryDays = 365
 
 
 function ensureDirs($dirs) {
@@ -26,8 +27,8 @@ function createCA(){
   Write-Host "`n=== Generating CA private key"
   & openssl genrsa -aes256 -passout $Global:caPrivateKeyPass -out $Global:caPrivateKeyFile 4096
 
-  Write-Host "`n=== Generating CA public key"
-  & openssl req -subj "/C=US/ST=Washington/L=Redmond/O=./OU=." -new -x509 -days 365 -passin $Global:caPrivateKeyPass -key $Global:caPrivateKeyFile -sha256 -out $Global:caPublicKeyFile
+  Write-Host "`n=== Generating CA public key - expires in $Global:sslExpiryDays days"
+  & openssl req -subj "/C=US/ST=Washington/L=Redmond/O=./OU=." -new -x509 -days $Global:sslExpiryDays -passin $Global:caPrivateKeyPass -key $Global:caPrivateKeyFile -sha256 -out $Global:caPublicKeyFile
 }
 
 # https://docs.docker.com/engine/security/https/
@@ -59,7 +60,7 @@ function createCerts($serverCertsPath, $serverName, $alternativeNames, $ipAddres
 
   "subjectAltName = " + ($san -join ',') | Out-File extfile.cnf -Encoding Ascii
   cat extfile.cnf
-  & openssl x509 -req -days 365 -sha256 -in server.csr -CA $Global:caPublicKeyFile -passin $Global:caPrivateKeyPass -CAkey $Global:caPrivateKeyFile `
+  & openssl x509 -req -days $Global:sslExpiryDays -sha256 -in server.csr -CA $Global:caPublicKeyFile -passin $Global:caPrivateKeyPass -CAkey $Global:caPrivateKeyFile `
     -CAcreateserial -out server-cert.pem -extfile extfile.cnf
 
   Write-Host "`n=== Generating Client key"
@@ -68,9 +69,9 @@ function createCerts($serverCertsPath, $serverName, $alternativeNames, $ipAddres
   Write-Host "`n=== Generating Client signing request"
   & openssl req -subj '/CN=client' -new -key key.pem -out client.csr
 
-  Write-Host "`n=== Signing Client signing request"
+  Write-Host "`n=== Signing Client signing request - expires in $Global:sslExpiryDays days"
   "extendedKeyUsage = clientAuth" | Out-File extfile.cnf -Encoding Ascii
-  & openssl x509 -req -days 365 -sha256 -in client.csr -CA $Global:caPublicKeyFile -passin $Global:caPrivateKeyPass -CAkey $Global:caPrivateKeyFile `
+  & openssl x509 -req -days $Global:sslExpiryDays -sha256 -in client.csr -CA $Global:caPublicKeyFile -passin $Global:caPrivateKeyPass -CAkey $Global:caPrivateKeyFile `
     -CAcreateserial -out cert.pem -extfile extfile.cnf
 
   Write-Host "`n=== Copying Server certificates to $serverCertsPath"
@@ -197,6 +198,11 @@ $alternativeNames = $env:ALTERNATIVE_NAMES
 $ipAddresses = $env:IP_ADDRESSES
 $userPath = "$env:USERPROFILE\.docker"
 
+$sslExpiry=0
+if ([int]::TryParse($env:SSL_EXPIRY_DAYS, [ref]$sslExpiry)) {
+  $Global:sslExpiryDays = $sslExpiry
+}
+
 ensureDirs @("$dockerData\certs.d", "$dockerData\config", "$userPath", $Global:DockerSSLCARoot)
 
 #Test the CA Root path to see if an existing set of CA keys was provided