This document will walk through setting up SSL support for your docker host as well as configuration steps within FlexDeploy.
Generating Certificates
To secure the API calls for the Docker host we will be configuring a secured TLS connection using self-signed certificates. You must first check that the openssl package is installed on your docker host system. We will then begin creating the certificates by running the follow commands on the docker host machine.
Generate CA private key: This will generate a ca-key.pem file that will be used as the key when creating your CA pem. You will need to enter a pass phrase for this ca-key.pem that will be used later.
Command:
openssl genrsa -aes256 -out ca-key.pem 4096
Prompts:
Enter pass phrase for ca-key.pem:
Verifying - Enter pass phrase for ca-key.pem:
2. Generate CA: This will generate the ca.pem file. We will be using this later in FlexDeploy. You will be asked for the pass phrase given to the ca-key.pem as well as information for the certificate request. Most can be left blank, but the Common name must be the FQDN of the docker host machine that you are running this on.
Command:
openssl req -new -x509 -days 365 -key ca-key.pm -sha256 -out ca.pem
Prompts:
Enter pass phrase for ca-key.pem:
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:docker.acme.com //This will need to be your FQDN of the docker host machine.
Email Address []:
3. Generate server key and CSR: This will generate server-key.pem and server.csr files. You will need to replace docker.acme.com in the second command with your docker host FQDN.
Command:
openssl genrsa -out server-key.pem 4096
opemssl req -subj "/CN=docker.acme.com" -sha256 -new -key server-key.pem -out server.csr
4. Sign server CSR with CA: We will now sign the CSR we just created with the CA that we generated earlier. This will create server-cert.pem file.
Command:
openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem
Prompts:
Signature ok
subject=CN = docker.acme.com
Getting CA Private Key
Enter pass phrase for ca-key.pem:
5. Generate client certificate: This will generate key.pem, client.csr, and cert.pem files. You will need to enter the pass phrase for ca-key that we created earlier.
Command:
openssl genrsa -out key.pem 4096
openssl req -subj '/CN=client' -new -key key.pem -out client.csr
openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem
Prompts:
Enter pass phrase for ca-key.pem:
6. Configure daemon to enable TLS: To use the certificates that we created, place them under /etc/ssl and update the /etc/systemd/system/docker.service.d/override.conf with the following file content with the correct paths.
[Service] ExecStart= ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2376 --tlsverify --tlscacert=/etc/ssl/certs/ca.pem --tlscert=/etc/ssl/certs/server-cert.pem --tlskey=/etc/ssl/private/server-key.pem
7. Reload systemd: After changing the override.conf we will need to reload the configuration for systemd and restart the service.
Commands:
sudo systemctl daemon-reload
sudo systemctl restart docker.service