Created
October 5, 2018 10:29
-
-
Save veuncent/ddd8a41ba1fcd7969d3fac03adb9c8c7 to your computer and use it in GitHub Desktop.
Setup TLS for Docker (Ubuntu 16.04)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - Create a CA, keys and certificates | |
| - Source: https://docs.docker.com/engine/security/https/ | |
| # Create certs dir | |
| mkdir ~/certs | |
| cd ~/certs | |
| # Ca key | |
| openssl genrsa -aes256 -out ca-key.pem 4096 | |
| # Ca certificate | |
| openssl req -new -x509 -days 9999 -key ca-key.pem -sha256 -out ca.pem | |
| # Server key | |
| openssl genrsa -out server-key.pem 4096 | |
| # Server certificate signing request | |
| openssl req -subj "/CN=example.com" -sha256 -new -key server-key.pem -out server.csr | |
| # Create configuration file | |
| echo subjectAltName = DNS:example.com,IP:10.10.10.20,IP:127.0.0.1 >> extfile.cnf | |
| echo extendedKeyUsage = serverAuth >> extfile.cnf | |
| # Server cert | |
| openssl x509 -req -days 9999 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \ | |
| -CAcreateserial -out server-cert.pem -extfile extfile.cnf | |
| # Client key | |
| openssl genrsa -out key.pem 4096 | |
| # Client certificate signing request | |
| openssl req -subj '/CN=client' -new -key key.pem -out client.csr | |
| # Create configuration file | |
| echo extendedKeyUsage = clientAuth >> extfile.client.cnf | |
| # Client cert | |
| openssl x509 -req -days 9999 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \ | |
| -CAcreateserial -out cert.pem -extfile extfile.client.cnf | |
| # Remove signing requests | |
| rm -v *.csr | |
| # Set permissions | |
| chmod -v 0400 ca-key.pem key.pem server-key.pem | |
| chmod -v 0444 ca.pem server-cert.pem cert.pem | |
| # Copy ca cert and server key+cert to /etc/docker/certs.d/<domain name>:port | |
| sudo mkdir -p /etc/docker/certs.d/example.com:2376 | |
| sudo cp ca.pem server-cert.pem server-key.pem /etc/docker/certs.d/example.com:2376 | |
| # Edit docker.service | |
| sudo vi /lib/systemd/system/docker.service | |
| -> Remove '-H fd://' from 'ExecStart' | |
| # Create /etc/docker/daemon.json | |
| sudo tee /etc/docker/daemon.json << EOL | |
| { | |
| "tlsverify": true, | |
| "tlscacert": "/etc/docker/certs.d/example.com:2376/ca.pem", | |
| "tlscert" : "/etc/docker/certs.d/example.com:2376/server-cert.pem", | |
| "tlskey" : "/etc/docker/certs.d/example.com:2376/server-key.pem", | |
| "hosts" : ["fd://", "0.0.0.0:2376"] | |
| } | |
| EOL | |
| # Reload and restart | |
| sudo systemctl daemon-reload | |
| sudo systemctl restart docker | |
| # Test client connection from another server | |
| # copy ca.pem, cert.pem and key.pem to another machine | |
| docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem --host=example.com:2376 version |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment