How to enable TLS and CA authentication in Docker

1. Generate a certificate
2. Enable remote
3. Remote Connection

3.1 Jenkins connection
3.2 Portainer connection

Preface: It is unsafe for Docker to directly open port 2375. Others can do anything as long as they connect to it. The following is how to enable TLS and CA authentication for Docker, and connect it using Jenkins and Portainer.

1. Generate a certificate

Check the server host name

hostname

auto-generate-docker-tls-ca.sh

# !/bin/bash

# Generate TLS and CA certificates in one click# Create : 2021-08-25
# Update : 2021-08-25
# @Autor : wuduoqiang

# Server host name SERVER="6c377ffb8e86"
# Password PASSWORD="2cx&BUjsV4u%3TW9"
# Country COUNTRY="CN"
# Province STATE="Hainan Province"
# City CITY="Haikou"
# Organization name ORGANIZATION="Xiao Qiangzi Company"
# Organizational unit ORGANIZATIONAL_UNIT="Little Qiangzi Unit"
# Email EMAIL="[email protected]"

# Generate CA key openssl genrsa -aes256 -passout pass:$PASSWORD -out ca-key.pem 2048

# Generate CA certificate openssl req -new -x509 -passin "pass:$PASSWORD" -days 3650 -key ca-key.pem -sha256 -out ca-cert.pem -subj "/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORGANIZATION/OU=$ORGANIZATIONAL_UNIT/CN=$SERVER/emailAddress=$EMAIL"

# Generate server key openssl genrsa -out server-key.pem 2048

# Generate a request file for signing the server certificate openssl req -subj "/CN=$SERVER" -new -key server-key.pem -out server-req.csr

# Generate server certificate openssl x509 -req -days 3650 -in server-req.csr -CA ca-cert.pem -CAkey ca-key.pem -passin "pass:$PASSWORD" -CAcreateserial -out server-cert.pem

# Generate client key openssl genrsa -out client-key.pem 2048

# Generate a client certificate signature request file openssl req -subj '/CN=client' -new -key client-key.pem -out client-req.csr

# Generate client certificate sh -c 'echo "extendedKeyUsage=clientAuth" >> extfile.cnf'
openssl x509 -req -days 3650 -in client-req.csr -CA ca-cert.pem -CAkey ca-key.pem -passin "pass:$PASSWORD" -CAcreateserial -out client-cert.pem -extfile extfile.cnf

# Change key permissions chmod 0400 ca-key.pem server-key.pem client-key.pem
# Change certificate permissions chmod 0444 ca-cert.pem server-cert.pem client-cert.pem
# Delete useless files# rm ca-cert.srl client-req.csr server-req.csr extfile.cnf

File Description

ca.srl: CA certificate serial number record fileca-cert.pem: CA certificateca-key.pem: CA keyserver-key.pem: server keyserver-req.csr: server certificate signing request fileserver-cert.pem: server certificateclient-key.pem: client keyextfile.cnf: client certificate extension configuration fileclient-req.csr: client certificate signing request fileclient-cert.pem: client certificate

Command analysis

# -subj /C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORGANIZATION/OU=$ORGANIZATIONAL_UNIT/CN=$SERVER/emailAddress=$EMAIL
-subj is the information of the specified certificate applicant C is the Country Name
ST is State or Province Name
L stands for Locality Name
O is Organization Name
OU is Organizational Unit Name
CN is Common Name
emailAddress is the Email Address

2. Enable remote

Enable Docker's remote access API

# Edit the file vim /etc/systemd/system/docker.service
# Modify the content, pay attention to the specified location of the certificate ExecStart=/usr/bin/dockerd \
--tlsverify \
--tlscacert=/etc/docker/ca-cert.pem \
--tlscert=/etc/docker/server-cert.pem \
--tlskey=/etc/docker/server-key.pem \
-H unix:///var/run/docker.sock \
-H tcp://0.0.0.0:2375
# Restart the service systemctl daemon-reload && systemctl restart docker

If you don't have the key and certificate, you can't connect

docker -H 192.168.8.248:2375 images

You can't connect using the host name without a key and certificate.

docker -H 6c377ffb8e86:2375 images

In addition, the key and certificate cannot be connected without using the host name

curl https://192.168.8.248:2375/info --cert ./client-cert.pem --key ./client-key.pem --cacert ./ca-cert.pem

Add the key and certificate and access it using the host name

curl https://6c377ffb8e86:2375/info --cert ./client-cert.pem --key ./client-key.pem --cacert ./ca-cert.pem

3. Remote Connection

3.1 Jenkins connection

Add Credentials

Fill in the information

Test the connection, note that the host name should be used here

If Jenkins is installed by Docker, you need to map the host name

version: '3'
services:
  Jenkins:
    restart: always
    image: 192.168.8.247/xiaoqiangzai/jenkins:latest
    container_name: jenkins
    ports:
      - '8888:8080'
      - '50000:50000'
    volumes:
      - ./data/jenkins_home:/var/jenkins_home
      - ./data/war/jenkins.war:/usr/share/jenkins/jenkins.war
    environment:
      JENKINS_OPTS: "--prefix=/jenkins"
    extra_hosts:
      - "6c377ffb8e86:192.168.8.248"

3.2 Portainer connection

Select the client key and certificate and the CA certificate

Connection OK

If Portainer is installed with docker, you need to map the host name

version: '3'
services:
  Portainer:
    restart: always
    image: portainer/portainer-ce:latest
    container_name: portainer
    privileged: true
    ports:
      - '9000:9000'
    volumes:
      - ./data/data:/data
      - ./data/public:/public
    extra_hosts:
      - "6c377ffb8e86:192.168.8.248"

This is the end of this article about the steps to enable TLS and CA authentication in Docker. For more information about enabling TLS and CA authentication in Docker, please search for previous articles on 123WORDPRESS.COM or continue to browse the following related articles. I hope you will support 123WORDPRESS.COM in the future!

You may also be interested in:

Detailed example of remotely connecting to Docker using TLS encrypted communication
Implementation of one-click TLS encryption for docker remote api
Docker deploys mysql remote connection to solve 2003 problems
Docker enables secure TLS remote connection access

<<: HTML meta viewport attribute detailed description

>>: Writing daily automatic backup of MySQL database using mysqldump in Centos7

A brief discussion on the performance issues of MySQL paging limit

How to enable TLS and CA authentication in Docker

Table of contents

1. Generate a certificate

2. Enable remote

3. Remote Connection

3.1 Jenkins connection

3.2 Portainer connection

A brief discussion on the performance issues of MySQL paging limit

Optimize MySQL with 3 simple tweaks

How to develop uniapp using vscode

Vue implements various ideas for detecting sensitive word filtering components

Solution to MySQL root password error number 1045

Solution to the problem that the page is blank when opening the page with source file in IE7

Use Docker to build a Git image using the clone repository

In-depth understanding of the use of CSS clear:both

More popular and creative dark background web design examples

MySQL 8.0.13 free installation version configuration tutorial under Windows environment

Recommend

SQL serial number acquisition code example

Example analysis of mysql stored procedure usage

Detailed graphic tutorial on installing and uninstalling Tomcat8 on Linux

Detailed process of upgrading glibc dynamic library in centos 6.9

JavaScript function call classic example code

MYSQL development performance research: optimization method for batch inserting data

View MySQL installation information under Linux server

Solution to the Mysql ERROR 1045 (28000): Access denied for user root@localhost problem in Ubuntu system

Practice of deploying web applications written in Python with Docker

Detailed graphic explanation of setting up routing and virtual machine networking in Linux

Example explanation of alarm function in Linux

CSS to achieve compatible text alignment in different browsers

Solution to the problem that the configuration file my.cnf in MySQL cannot be started due to permission issues

How to configure whitelist access in mysql

Vue implements the product tab of the product details page function