diff options
Diffstat (limited to 'docs/sources/articles/https.md')
| -rw-r--r-- | docs/sources/articles/https.md | 109 |
1 files changed, 80 insertions, 29 deletions
diff --git a/docs/sources/articles/https.md b/docs/sources/articles/https.md index 81570105e6..8a7b2dea4c 100644 --- a/docs/sources/articles/https.md +++ b/docs/sources/articles/https.md @@ -1,6 +1,6 @@ -page_title: Docker HTTPS Setup -page_description: How to setup docker with https -page_keywords: docker, example, https, daemon +page_title: Running Docker with HTTPS +page_description: How to setup and run Docker with HTTPS +page_keywords: docker, docs, article, example, https, daemon, tls, ca, certificate # Running Docker with https @@ -11,9 +11,9 @@ If you need Docker reachable via the network in a safe manner, you can enable TLS by specifying the tlsverify flag and pointing Docker's tlscacert flag to a trusted CA certificate. -In daemon mode, it will only allow connections from clients -authenticated by a certificate signed by that CA. In client mode, it -will only connect to servers with a certificate signed by that CA. +In the daemon mode, it will only allow connections from clients +authenticated by a certificate signed by that CA. In the client mode, +it will only connect to servers with a certificate signed by that CA. > **Warning**: > Using TLS and managing a CA is an advanced topic. Please make you self @@ -31,25 +31,64 @@ keys: $ echo 01 > ca.srl $ openssl genrsa -des3 -out ca-key.pem 2048 + Generating RSA private key, 2048 bit long modulus + ......+++ + ...............+++ + e is 65537 (0x10001) + Enter pass phrase for ca-key.pem: + Verifying - Enter pass phrase for ca-key.pem: $ openssl req -new -x509 -days 365 -key ca-key.pem -out ca.pem + Enter pass phrase for ca-key.pem: + You are about to be asked to enter information that will be incorporated + into your certificate request. + What you are about to enter is what is called a Distinguished Name or a DN. + There are quite a few fields but you can leave some blank + For some fields there will be a default value, + If you enter '.', the field will be left blank. + ----- + Country Name (2 letter code) [AU]: + State or Province Name (full name) [Some-State]:Queensland + Locality Name (eg, city) []:Brisbane + Organization Name (eg, company) [Internet Widgits Pty Ltd]:Docker Inc + Organizational Unit Name (eg, section) []:Boot2Docker + Common Name (e.g. server FQDN or YOUR name) []:your.host.com + Email Address []:Sven@home.org.au Now that we have a CA, you can create a server key and certificate signing request. Make sure that "Common Name (e.g. server FQDN or YOUR name)" matches the hostname you will use to connect to Docker: $ openssl genrsa -des3 -out server-key.pem 2048 - $ openssl req -subj '/CN=**<Your Hostname Here>**' -new -key server-key.pem -out server.csr + Generating RSA private key, 2048 bit long modulus + ......................................................+++ + ............................................+++ + e is 65537 (0x10001) + Enter pass phrase for server-key.pem: + Verifying - Enter pass phrase for server-key.pem: + $ openssl req -subj '/CN=<Your Hostname Here>' -new -key server-key.pem -out server.csr + Enter pass phrase for server-key.pem: -Next we're going to sign the key with our CA: +Next, we're going to sign the key with our CA: $ openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem \ -out server-cert.pem + Signature ok + subject=/CN=your.host.com + Getting CA Private Key + Enter pass phrase for ca-key.pem: For client authentication, create a client key and certificate signing request: - $ openssl genrsa -des3 -out client-key.pem 2048 - $ openssl req -subj '/CN=client' -new -key client-key.pem -out client.csr + $ openssl genrsa -des3 -out key.pem 2048 + Generating RSA private key, 2048 bit long modulus + ...............................................+++ + ...............................................................+++ + e is 65537 (0x10001) + Enter pass phrase for key.pem: + Verifying - Enter pass phrase for key.pem: + $ openssl req -subj '/CN=client' -new -key key.pem -out client.csr + Enter pass phrase for key.pem: To make the key suitable for client authentication, create a extensions config file: @@ -59,13 +98,21 @@ config file: Now sign the key: $ openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem \ - -out client-cert.pem -extfile extfile.cnf + -out cert.pem -extfile extfile.cnf + Signature ok + subject=/CN=client + Getting CA Private Key + Enter pass phrase for ca-key.pem: Finally you need to remove the passphrase from the client and server key: $ openssl rsa -in server-key.pem -out server-key.pem - $ openssl rsa -in client-key.pem -out client-key.pem + Enter pass phrase for server-key.pem: + writing RSA key + $ openssl rsa -in key.pem -out key.pem + Enter pass phrase for key.pem: + writing RSA key Now you can make the Docker daemon only accept connections from clients providing a certificate trusted by our CA: @@ -76,32 +123,31 @@ providing a certificate trusted by our CA: To be able to connect to Docker and validate its certificate, you now need to provide your client keys, certificates and trusted CA: - $ docker --tlsverify --tlscacert=ca.pem --tlscert=client-cert.pem --tlskey=client-key.pem \ - -H=dns-name-of-docker-host:2376 + $ docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem \ + -H=dns-name-of-docker-host:2376 version > **Note**: > Docker over TLS should run on TCP port 2376. > **Warning**: -> As shown in the example above, you don't have to run the -> `docker` client with `sudo` or -> the `docker` group when you use certificate -> authentication. That means anyone with the keys can give any -> instructions to your Docker daemon, giving them root access to the -> machine hosting the daemon. Guard these keys as you would a root -> password! +> As shown in the example above, you don't have to run the `docker` client +> with `sudo` or the `docker` group when you use certificate authentication. +> That means anyone with the keys can give any instructions to your Docker +> daemon, giving them root access to the machine hosting the daemon. Guard +> these keys as you would a root password! -## Secure By Default +## Secure by default -If you want to secure your Docker client connections by default, you can move the files -to the `.docker` directory in your home directory. Set the `DOCKER_HOST` variable as well. +If you want to secure your Docker client connections by default, you can move +the files to the `.docker` directory in your home directory - and set the +`DOCKER_HOST` variable as well. $ cp ca.pem ~/.docker/ca.pem - $ cp client-cert.pem ~/.docker/cert.pem - $ cp client-key.pem ~/.docker/key.pem + $ cp cert.pem ~/.docker/cert.pem + $ cp key.pem ~/.docker/key.pem $ export DOCKER_HOST=tcp://:2376 -Then you can just run docker with the `--tlsverify` option. +Then you can run Docker with the `--tlsverify` option. $ docker --tlsverify ps @@ -124,5 +170,10 @@ Docker in various other modes by mixing the flags. - tlsverify, tlscacert, tlscert, tlskey: Authenticate with client certificate, authenticate server based on given CA -The client will send its client certificate if found, so you just need -to drop your keys into ~/.docker/<ca, cert or key>.pem +If found, the client will send its client certificate, so you just need +to drop your keys into `~/.docker/<ca, cert or key>.pem`. Alternatively, +if you want to store your keys in another location, you can specify that +location using the environment variable `DOCKER_CONFIG`. + + $ export DOCKER_CERT_PATH=${HOME}/.docker/zone1/ + $ docker --tlsverify ps |