I've got the following docker-compose
file that creates a Cassandra cluster with SSL enabled. I have to mount the keystore and truststore files with a volume.
version: "3.3"
services:
cassandra-one:
image: bitnami/cassandra:3.11
ports:
- "9042:9042"
environment:
MAX_HEAP_SIZE: "400M"
MIN_HEAP_SIZE: "400M"
HEAP_NEWSIZE: "48M"
CASSANDRA_ENABLE_SCRIPTED_USER_DEFINED_FUNCTIONS: "true"
CASSANDRA_ENABLE_USER_DEFINED_FUNCTIONS: "true"
CASSANDRA_KEYSTORE_PASSWORD: "password"
CASSANDRA_TRUSTSTORE_PASSWORD: "password"
CASSANDRA_CLIENT_ENCRYPTION: "true"
volumes:
- ./keystore.p12:/bitnami/cassandra/secrets/keystore
- ./truststore.p12:/bitnami/cassandra/secrets/truststore
I use the following script to generate the key files needed.
#!/bin/bash
# Generate localhost_CA and localhost certs/keys
openssl genrsa -out localhost_CA.key 4096
openssl req -x509 -new -config localhost_CA.cfg -key localhost_CA.key -days 9999 -out localhost_CA.crt
openssl genrsa -out localhost.key 4096
openssl req -new -config localhost.cfg -key localhost.key -days 9999 -out localhost.csr
openssl x509 -req -in localhost.csr -CA localhost_CA.crt -CAkey localhost_CA.key -CAcreateserial -days 9999 -out localhost.crt
# generate keystore
openssl pkcs12 -export -out keystore.p12 -inkey localhost.key -in localhost.crt -passout pass:password
keytool -importkeystore -destkeystore keystore.jks -srcstoretype PKCS12 -srckeystore keystore.p12 -deststorepass "password" -srcstorepass "password"
# generate truststore
openssl pkcs12 -export -out truststore.p12 -inkey localhost.key -in localhost.crt -passout pass:password
keytool -importkeystore -destkeystore truststore.jks -srcstoretype PKCS12 -srckeystore truststore.p12 -deststorepass "password" -srcstorepass "password"
When I run docker-compose up
I get the following error:
stackoverflow-example-cassandra-one-1 | Importing keystore /bitnami/cassandra/secrets/keystore to /opt/bitnami/cassandra/tmp/keystore.p12...
stackoverflow-example-cassandra-one-1 | keytool error: java.io.FileNotFoundException: /bitnami/cassandra/secrets/keystore (Permission denied)
So I have to run the following commands to fix the error and the services to start properly. This gives the files read permissions to the docker user (1001).
sudo chown -R 1001 keystore.p12
sudo chown -R 1001 truststore.p12
How can I do this step in the script without using sudo
?
Below I'll put the *.cfg
files so the script for generating the keys can be used.
localhost.cfg
[req]
encrypt_key = no
default_bits = 4096
prompt = no
default_md = sha256
distinguished_name = dn
[dn]
CN = localhost
localhost_CA.cfg
[dn]
C = US
ST = CA
L = Los Angeles
O = stackoverflow.com
CN = stackoverflow.com Test CA
[ca]
default_ca = stackoverflow_CA
[Shotover_CA]
private_key = Stackoverflow_CA.key
certificate = Stackoverflow_CA.crt
new_certs_dir = certs/new/
database = certs/database
RANDFILE = certs/.rand
default_md = sha256
policy = policy_anything
email_in_dn = false
serial = certs/serial
default_days = 365
x509_extensions = v3_ca
[policy_anything]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[v3_ca]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
basicConstraints = critical, CA:true
keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
extendedKeyUsage = serverAuth
[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign