Docker SSL Support

This document will walk through setting up SSL support for your docker host as well as configuration steps within FlexDeploy.

Generating Certificates

To secure the API calls for the Docker host we will be configuring a secured TLS connection using self-signed certificates. You must first check that the openssl package is installed on your docker host system. We will then begin creating the certificates by running the follow commands on the docker host machine.

  1. Generate CA private key: This will generate a ca-key.pem file that will be used as the key when creating your CA pem. You will need to enter a pass phrase for this ca-key.pem that will be used later.

1 2 3 4 5 6 Command: openssl genrsa -aes256 -out ca-key.pem 4096 Prompts: Enter pass phrase for ca-key.pem: Verifying - Enter pass phrase for ca-key.pem:

2. Generate CA: This will generate the ca.pem file. We will be using this later in FlexDeploy. You will be asked for the pass phrase given to the ca-key.pem as well as information for the certificate request. Most can be left blank, but the Common name must be the FQDN of the docker host machine that you are running this on.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Command: openssl req -new -x509 -days 365 -key -sha256 -out ca.pem Prompts: Enter pass phrase for ca-key.pem: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) [] //This will need to be your FQDN of the docker host machine. Email Address []:

3. Generate server key and CSR: This will generate server-key.pem and server.csr files. You will need to replace in the second command with your docker host FQDN.

1 2 3 4 Command: openssl genrsa -out server-key.pem 4096 opemssl req -subj "/" -sha256 -new -key server-key.pem -out server.csr

4. Sign server CSR with CA: We will now sign the CSR we just created with the CA that we generated earlier. This will create server-cert.pem file.

1 2 3 4 5 6 7 8 Command: openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem Prompts: Signature ok subject=CN = Getting CA Private Key Enter pass phrase for ca-key.pem:

5. Generate client certificate: This will generate key.pem, client.csr, and cert.pem files. You will need to enter the pass phrase for ca-key that we created earlier.

1 2 3 4 5 6 7 8 9 10 11 Command: openssl genrsa -out key.pem 4096 openssl req -subj '/CN=client' -new -key key.pem -out client.csr openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem openssl pkcs8 -topk8 -inform PEM -outform DER -in key.pem -out key.der -nocrypt Prompts: Enter pass phrase for ca-key.pem:

6. Configure daemon to enable TLS: To use the certificates that we created, place them under /etc/ssl and update the /etc/systemd/system/docker.service.d/override.conf with the following file content with the correct paths.

1 2 3 [Service] ExecStart= ExecStart=/usr/bin/dockerd -H fd:// -H tcp:// --tlsverify --tlscacert=/etc/ssl/certs/ca.pem --tlscert=/etc/ssl/certs/server-cert.pem --tlskey=/etc/ssl/private/server-key.pem

7. Reload systemd: After changing the override.conf we will need to reload the configuration for systemd and restart the service.

1 2 3 Commands: sudo systemctl daemon-reload sudo systemctl restart docker.service

8. Capture path of Client certificate files: In order to add the certificates to FlexDeploy we will need to capture the paths of 3 different files. The ca.pem, cert.pem, key.der. The path of these files will be entered as input in configuration for the docker plugin.