Detailed example of remotely connecting to Docker using TLS encrypted communication

By default, Docker runs over a non-networked UNIX socket. It can also use HTTP sockets for optional communication.
If you need to access Docker over the network in a secure manner, you can enable TLS by specifying the Docker flag to point to a trusted CA certificate.
In daemon mode, it only allows connections from clients that are authenticated by a certificate signed by this CA. In client mode, it only connects to servers that have a certificate signed by that CA.

# Create CA certificate directory [root@localhost ~]# mkdir tls
[root@localhost ~]# cd tls/
# Create CA key [root@localhost tls]# openssl genrsa -aes256 -out ca-key.pem 4096
Generating RSA private key, 4096 bit long modulus
..............................................................................++
.....................................................................................................................................................................................++
e is 65537 (0x10001)
Enter pass phrase for ca-key.pem:
Verifying - Enter pass phrase for ca-key.pem:
# Create CA certificate [root@localhost tls]# openssl req -new -x509 -days 1000 -key ca-key.pem -sha256 -subj "/CN=*" -out ca.pem
Enter pass phrase for ca-key.pem:
[root@localhost tls]# ll
Total dosage 8
-rw-r--r--. 1 root root 3326 12月3 17:20 ca-key.pem
-rw-r--r--. 1 root root 1765 Dec 3 19:03 ca.pem
# Create server private key [root@localhost tls]# openssl genrsa -out server-key.pem 4096
Generating RSA private key, 4096 bit long modulus
................................................................++
..................++
e is 65537 (0x10001)
[root@localhost tls]# ll
Total dosage 12
-rw-r--r--. 1 root root 3326 12月3 17:20 ca-key.pem
-rw-r--r--. 1 root root 1765 Dec 3 19:03 ca.pem
-rw-r--r--. 1 root root 3243 12月3 19:03 server-key.pem
# Sign the private key [root@localhost tls]# openssl req -subj "/CN=*" -sha256 -new -key server-key.pem -out server.csr
[root@localhost tls]# ll
Total dosage 16
-rw-r--r--. 1 root root 3326 12月3 17:20 ca-key.pem
-rw-r--r--. 1 root root 1765 Dec 3 19:03 ca.pem
-rw-r--r--. 1 root root 1574 12月3 19:04 server.csr
-rw-r--r--. 1 root root 3243 12月3 19:03 server-key.pem
Sign with CA certificate and private key, enter the password set above [root@localhost tls]# openssl x509 -req -days 1000 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem
Signature ok
subject=/CN=*
Getting CA Private Key
Enter pass phrase for ca-key.pem:
#Generate client key [root@localhost tls]# openssl genrsa -out key.pem 4096
Generating RSA private key, 4096 bit long modulus
....................................................................................................................................++
.................................++
e is 65537 (0x10001)
#Sign the client [root@localhost tls]# openssl req -subj "/CN=client" -new -key key.pem -out client.csr
#Create configuration file [root@localhost tls]# echo extendedKeyUsage=clientAuth > extfile.cnf
#Sign certificate [root@localhost tls]# openssl x509 -req -days 1000 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf
Signature ok
subject=/CN=client
Getting CA Private Key
Enter pass phrase for ca-key.pem:
[root@localhost tls]# ll
Total dosage 40
-rw-r--r--. 1 root root 3326 12月3 17:20 ca-key.pem
-rw-r--r--. 1 root root 1765 Dec 3 19:03 ca.pem
-rw-r--r--. 1 root root 17 December 3 19:35 ca.srl
-rw-r--r--. 1 root root 1696 Dec 3 19:35 cert.pem
-rw-r--r--. 1 root root 1582 December 3 19:29 client.csr
-rw-r--r--. 1 root root 28 12月3 19:32 extfile.cnf
-rw-r--r--. 1 root root 3243 December 3 19:08 key.pem
-rw-r--r--. 1 root root 1647 Dec 3 19:08 server-cert.pem
-rw-r--r--. 1 root root 1574 12月3 19:04 server.csr
-rw-r--r--. 1 root root 3243 12月3 19:03 server-key.pem
# Delete unnecessary files [root@localhost tls]#

Testing on the client

[root@client ~]# docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H tcp://master:2376 version
Client: Docker Engine - Community
 Version: 19.03.13
 API version: 1.40
 Go version: go1.13.15
 Git commit: 4484c46d9d
 Built: Wed Sep 16 17:03:45 2020
 OS/Arch: linux/amd64
 Experimental: false

Server: Docker Engine - Community
 Engine:
 Version: 19.03.13
 API version: 1.40 (minimum version 1.12)
 Go version: go1.13.15
 Git commit: 4484c46d9d
 Built: Wed Sep 16 17:02:21 2020
 OS/Arch: linux/amd64
 Experimental: false
 containerd:
 Version: 1.3.9
 GitCommit: ea765aba0d05254012b0b9e595e995c09186427f
 runc:
 Version: 1.0.0-rc10
 GitCommit: dc9208a3303feef5b3839f4323d9beb36df0a9dd
 docker-init:
 Version: 0.18.0
 GitCommit: fec3683

This concludes this article about using TLS encrypted communication to remotely connect to Docker. For more information about TLS encrypted remote connection to Docker, please search for previous articles on 123WORDPRESS.COM or continue to browse the following related articles. I hope you will support 123WORDPRESS.COM in the future!

You may also be interested in:

Docker enables secure TLS remote connection access
How to set up vscode remote connection to server docker container
Docker deploys mysql remote connection to solve 2003 problems
Tutorial on installing MySQL with Docker and implementing remote connection
Docker deploys mysql to achieve remote connection sample code
Detailed explanation of docker daemon remote connection settings
Implementation example of Docker remote connection settings

<<: HTML table tag tutorial (26): cell tag

>>: How to forget the root password in Mysql8.0.13 under Windows 10 system

Highly recommended! Setup syntax sugar in Vue 3.2

Blog

MySQL Basic Tutorial: Detailed Explanation of DML Statements

Blog

When installing a virtual machine on Thinkpad VMware, the message "This host supports Intel VT-x, but Intel VT-x is disabled" appears (problem solution)

Blog

Native js implements custom scroll bar component

Detailed example of remotely connecting to Docker using TLS encrypted communication

Highly recommended! Setup syntax sugar in Vue 3.2

MySQL Basic Tutorial: Detailed Explanation of DML Statements

When installing a virtual machine on Thinkpad VMware, the message "This host supports Intel VT-x, but Intel VT-x is disabled" appears (problem solution)

Native js implements custom scroll bar component

Example of how to configure nginx to implement SSL

Solve the problem that the Node.js mysql client does not support the authentication protocol

Solve the problem of margin merging

Introduction to the difference between on and where conditions in MySQL left join operation

Solution for front-end browser font size less than 12px

Introduction to install method in Vue

Recommend

MySQL implements enterprise-level log management, backup and recovery practical tutorial

Summary of Problems in Installation and Usage of MySQL 5.7.19 Winx64 ZIP Archive

Method for realizing Internet interconnection by VMware virtual machine bridging

HTML Tutorial: Collection of commonly used HTML tags (5)

8 ways to manually and automatically backup your MySQL database

linux exa command (better file display experience than ls)

25 Vue Tips You Must Know

Detailed steps to install web server using Apache httpd2.4.37 on centos8

Detailed explanation of CSS style sheets and format layout

Detailed usage of docker-maven-plugin

New usage of watch and watchEffect in Vue 3

Recommended plugins and usage examples for vue unit testing

MySQL database Load Data multiple uses

TypeScript namespace explanation

mysql-8.0.15-winx64 uses the zip package to install and the service is shut down immediately after starting