How to enable TLS and CA authentication in Docker

1. Generate a certificate
2. Enable remote
3. Remote Connection

3.1 Jenkins connection
3.2 Portainer connection

Preface: It is unsafe for Docker to directly open port 2375. Others can do anything as long as they connect to it. The following is how to enable TLS and CA authentication for Docker, and connect it using Jenkins and Portainer.

1. Generate a certificate

Check the server host name

hostname

auto-generate-docker-tls-ca.sh

# !/bin/bash

# Generate TLS and CA certificates in one click# Create : 2021-08-25
# Update : 2021-08-25
# @Autor : wuduoqiang

# Server host name SERVER="6c377ffb8e86"
# Password PASSWORD="2cx&BUjsV4u%3TW9"
# Country COUNTRY="CN"
# Province STATE="Hainan Province"
# City CITY="Haikou"
# Organization name ORGANIZATION="Xiao Qiangzi Company"
# Organizational unit ORGANIZATIONAL_UNIT="Little Qiangzi Unit"
# Email EMAIL="[email protected]"

# Generate CA key openssl genrsa -aes256 -passout pass:$PASSWORD -out ca-key.pem 2048

# Generate CA certificate openssl req -new -x509 -passin "pass:$PASSWORD" -days 3650 -key ca-key.pem -sha256 -out ca-cert.pem -subj "/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORGANIZATION/OU=$ORGANIZATIONAL_UNIT/CN=$SERVER/emailAddress=$EMAIL"

# Generate server key openssl genrsa -out server-key.pem 2048

# Generate a request file for signing the server certificate openssl req -subj "/CN=$SERVER" -new -key server-key.pem -out server-req.csr

# Generate server certificate openssl x509 -req -days 3650 -in server-req.csr -CA ca-cert.pem -CAkey ca-key.pem -passin "pass:$PASSWORD" -CAcreateserial -out server-cert.pem

# Generate client key openssl genrsa -out client-key.pem 2048

# Generate a client certificate signature request file openssl req -subj '/CN=client' -new -key client-key.pem -out client-req.csr

# Generate client certificate sh -c 'echo "extendedKeyUsage=clientAuth" >> extfile.cnf'
openssl x509 -req -days 3650 -in client-req.csr -CA ca-cert.pem -CAkey ca-key.pem -passin "pass:$PASSWORD" -CAcreateserial -out client-cert.pem -extfile extfile.cnf

# Change key permissions chmod 0400 ca-key.pem server-key.pem client-key.pem
# Change certificate permissions chmod 0444 ca-cert.pem server-cert.pem client-cert.pem
# Delete useless files# rm ca-cert.srl client-req.csr server-req.csr extfile.cnf

File Description

ca.srl: CA certificate serial number record fileca-cert.pem: CA certificateca-key.pem: CA keyserver-key.pem: server keyserver-req.csr: server certificate signing request fileserver-cert.pem: server certificateclient-key.pem: client keyextfile.cnf: client certificate extension configuration fileclient-req.csr: client certificate signing request fileclient-cert.pem: client certificate

Command analysis

# -subj /C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORGANIZATION/OU=$ORGANIZATIONAL_UNIT/CN=$SERVER/emailAddress=$EMAIL
-subj is the information of the specified certificate applicant C is the Country Name
ST is State or Province Name
L stands for Locality Name
O is Organization Name
OU is Organizational Unit Name
CN is Common Name
emailAddress is the Email Address

2. Enable remote

Enable Docker's remote access API

# Edit the file vim /etc/systemd/system/docker.service
# Modify the content, pay attention to the specified location of the certificate ExecStart=/usr/bin/dockerd \
--tlsverify \
--tlscacert=/etc/docker/ca-cert.pem \
--tlscert=/etc/docker/server-cert.pem \
--tlskey=/etc/docker/server-key.pem \
-H unix:///var/run/docker.sock \
-H tcp://0.0.0.0:2375
# Restart the service systemctl daemon-reload && systemctl restart docker

If you don't have the key and certificate, you can't connect

docker -H 192.168.8.248:2375 images

You can't connect using the host name without a key and certificate.

docker -H 6c377ffb8e86:2375 images

In addition, the key and certificate cannot be connected without using the host name

curl https://192.168.8.248:2375/info --cert ./client-cert.pem --key ./client-key.pem --cacert ./ca-cert.pem

Add the key and certificate and access it using the host name

curl https://6c377ffb8e86:2375/info --cert ./client-cert.pem --key ./client-key.pem --cacert ./ca-cert.pem

3. Remote Connection

3.1 Jenkins connection

Add Credentials

Fill in the information

Test the connection, note that the host name should be used here

If Jenkins is installed by Docker, you need to map the host name

version: '3'
services:
  Jenkins:
    restart: always
    image: 192.168.8.247/xiaoqiangzai/jenkins:latest
    container_name: jenkins
    ports:
      - '8888:8080'
      - '50000:50000'
    volumes:
      - ./data/jenkins_home:/var/jenkins_home
      - ./data/war/jenkins.war:/usr/share/jenkins/jenkins.war
    environment:
      JENKINS_OPTS: "--prefix=/jenkins"
    extra_hosts:
      - "6c377ffb8e86:192.168.8.248"

3.2 Portainer connection

Select the client key and certificate and the CA certificate

Connection OK

If Portainer is installed with docker, you need to map the host name

version: '3'
services:
  Portainer:
    restart: always
    image: portainer/portainer-ce:latest
    container_name: portainer
    privileged: true
    ports:
      - '9000:9000'
    volumes:
      - ./data/data:/data
      - ./data/public:/public
    extra_hosts:
      - "6c377ffb8e86:192.168.8.248"

This is the end of this article about the steps to enable TLS and CA authentication in Docker. For more information about enabling TLS and CA authentication in Docker, please search for previous articles on 123WORDPRESS.COM or continue to browse the following related articles. I hope you will support 123WORDPRESS.COM in the future!

You may also be interested in:

Detailed example of remotely connecting to Docker using TLS encrypted communication
Implementation of one-click TLS encryption for docker remote api
Docker deploys mysql remote connection to solve 2003 problems
Docker enables secure TLS remote connection access

<<: HTML meta viewport attribute detailed description

>>: Writing daily automatic backup of MySQL database using mysqldump in Centos7