Home>

SCR (Signature Request) is automatically generated in Nginx container environment.
Specifically, create and execute a shell script that uses Expect and openssl.

CSR (signing request) is not created even if the shell script is executed.

Applicable source code
[csr_create.sh]
#!/bin/sh
expect -c "
set timeout 1
spawn openssl req -new -key server.key -out server.csr
expect -regexp \ "Country Name \ (2 letter code \) \ [. * \]: \"
send \ "JP \ r \"
expect -regexp \ "State or Province Name (full name) \ [. * \] \"
send \ "Prefecture \ r \"
expect -regexp \ "Locality Name (eg, city) \ [. * \]: \"
send \ "City \ r \"
expect -regexp \ "Organization Name (eg, company) \ [. * \]: \"
send \ "Organization \ r \"
expect -regexp \ "Organizational Unit Name (eg, section) \ [. * \]: \"
send \ "development team \ r \"
expect -regexp \ "Common Name (e.g. server FQDN or YOUR name) \ [. * \]: \"
send \ "www.example.ex \ r \"
expect -regexp \ "Email Address \ [. * \]: \"
send \ "\ r \"
expect -regexp \ "A challenge password \ [. * \]: \"
send \ "\ r \"
expect -regexp \ "An optional company name \ [. * \]: \"
send \ "\ r \"
expect. *
"
Execution environment

Create an appropriate directory locally, move it, and create the above files in it.
pwd =>.../sandbox
ls =>csr_create.sh
chmod 755 csr_create.sh  

Executed command and execution result

In the procedure below,csr_create.shIs running
server.csrIs not generated.

docker pull nginx: 1.15.8
docker run -it -v .../sandbox:/etc/ssl/sandbox [nginx_image_id] bash
apt-get update
agt-get install -y openssl expect
cd/etc/ssl/sandbox
openssl genrsa -out server.key 2024
ls =>csr_create.sh server.key
./csr_create.sh
ls =>csr_create.sh server.key  

Probable cause

As a result of trial and error,openssl reqCommand-out server.csrOptionally,
It seems that it is because the file cannot be spited out well.
I think that the method of writing the shell script is bad, but there is no idea to deal with it.

What I tried

-out server.csrI tried the following 4 without using, but it didn't work.

(1) Output the execution result to a file by redirecting

[csr_create.sh]
#!/bin/sh
&(expect -c "
set timeout 1
spawn openssl req -new -key server.key
... [Omitted] ...
expect. *
") >>server.csr

(2)echoAnd redirect to output to a file

[csr_create.sh]
#!/bin/sh
echo&(expect -c "
set timeout 1
spawn openssl req -new -key server.key
... [Omitted] ...
expect. *
") >>server.csr

(3) Output to file by pipe and redirect

[csr_create.sh]
#!/bin/sh
&(expect -c "
set timeout 1
spawn openssl req -new -key server.key
... [Omitted] ...
expect. *
") | >>server.csr

(4) Output to file with pipe and tee

[csr_create.sh]
#!/bin/sh
&(expect -c "
set timeout 1
spawn openssl req -new -key server.key
... [Omitted] ...
expect. *
") | tee server.csr

None of them worked.

Supplemental information (FW/tool version, etc.)

Docker Image: nginx: 1.15.8
OpenSSL: OpenSSL 1.1.0l 10 Sep 2019 (Library: OpenSSL 1.1.0j 20 Nov 2018)
Expext: version 5.45

Summary

I think there is a problem with how to write the shell script, but there is no corresponding idea.
I think it can be achieved if done well.
Is there any good way?
We apologize for the inconvenience, but we would appreciate your advice.

  • Answer # 1

    I don't know the reason why it doesn't work because I haven't scrutinized it, but since it is a process that does not require any interaction, I don't think you should use expect.

    For example, in the "Issue Certificate" chapter of the article "Oreore EV SSL Certificate with Firefox" that I wrote before, the private key and CSR are created as follows.

    openssl req -config $CONF -new -newkey rsa: 2048 -nodes -keyout svr.key -out svr.csr -subj "/CN=angel.p57/O=Omura Industries MC./ST=Neo-Saitama/C= JP "

    *$CONFIs a variable that represents the OpenSSL configuration file name, but it is probably the default setting.-config $CONFThere is no problem if you remove it.
    *-subjSet the contents specified in according to the items actually requested as CSR. Also, in the case of an article, the order is CN → O →…, but this is the opposite of the usual one and it is bad, so be careful. Note: Is the DN right to left or left to right?