My process for setting up client authentication.
I use my Personal Infrastructure CAClientCerts utilities.
Create a new CA
Create a brand new CA. Make it's name match the host of the docker machine to control. Server key can have a password.
Create server Certs
Create the server Certs.
Copy files to server
I put the files in the following locations:
-
/var/docker/ca.pem
-
/var/docker/server-cert.pem
-
/var/docker/server-key.pem
Root permissions for these files seems to be ok.
I also create a file /etc/docker/daemon.json to make server use options:
-
{
-
"hosts": ["unix:///var/run/docker.sock", "tcp://0.0.0.0:2376"],
-
"tlscacert": "/var/docker/ca.pem",
-
"tlscert": "/var/docker/server-cert.pem",
-
"tlskey": "/var/docker/server-key.pem",
-
"tlsverify": true
-
}
https://docs.docker.com/engine/security/https/#secure-by-default
Test the settings:
-
sudo systemctl stop docker
-
sudo dockerd
(New connection)
-
#Test socket connections still work
-
docker version
-
-
#Test connection via Internet fails (Should give a no TLS error)
-
docker -H=127.0.0.1:2376 version
-
-
#Test connection with keys
-
CLICERTDIR=TMP LOCATION to place client certs
-
docker --tlsverify --tlscacert=/var/docker/ca.pem --tlscert=${CLICERTDIR}/client-cert.pem --tlskey=${CLICERTDIR}/client-key.pem -H=127.0.0.1:2376 version
Utils:
View errors
-
sudo journalctl -fu docker.service
I found the systemd service file by looking at the output from:
-
systemctl status docker
it was /lib/systemd/system/docker.service
I then removed the -H flag.
Then ran
systemctl daemon-reload
This setup dies when the certificate runs out.
View the certificate: keytool -printcert -file certificate.pem (Must copy cert locally)