Skip to content

Instantly share code, notes, and snippets.

Forked from vmatekole/
Created August 2, 2022 22:55
Show Gist options
  • Save gngeorgiev/d1c09518aca8a758f3d7cc2387fe3d79 to your computer and use it in GitHub Desktop.
Save gngeorgiev/d1c09518aca8a758f3d7cc2387fe3d79 to your computer and use it in GitHub Desktop.
Secure your Docker socket with TLS/SSL
# Generate self-cert certificates for Docker socket. I have tried many tutorials including
# None worked... So I took the official steps from Docker docs - and placed them
# in a script. Please ensure that you replace the IP addresses/DNS names denoted in X with IP's and hostnames you wish to allow
# to connect with your daemon, normally is always required and the hostname of your server. If you have a coreos cluster
# placing IP's and hostnames of each node maybe preferable over creating unique certs for each node.
# This script does not cover the steps for copying your certs to the relevant locations, as per the following document -
# 1. In our production setup we copy server.key, server-cert.pem and ca-cert.pem to /etc/docker/ssl
# 2. Client certs(ca.pem,cert.pem,key.pem) are copied to user dir in our case user core - /home/core/.docker/certs
# 3. Docker Daemon options should have the following to setup server certs e.g. DOCKER_OPTS=-H -H unix:///var/run/docker.sock --tlsverify --tlscacert=/etc/docker/ssl/ca-cert.pem --tlscert=/etc/docker/ssl/server-cert.pem --tlskey=/etc/docker/ssl/server-key.pem
# 4. All users wanting to access Docker daemon should have following environment variables set in their profile to enable their client to access server with TLS enabled e.g.:
# export DOCKER_HOST=tcp://
# export DOCKER_CERT_PATH=/home/core/.docker/certs
openssl genrsa -out ca-key.pem 4096
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
openssl genrsa -out server-key.pem 4096
openssl req -subj "/CN=" -sha256 -new -key server-key.pem -out server.csr
echo subjectAltName = IP:X.X.X.X,IP:,DNS:X,DNS:X > extfile.cnf
openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out server-cert.pem -extfile extfile.cnf
openssl genrsa -out key.pem 4096
openssl req -subj '/CN=client' -new -key key.pem -out client.csr
echo extendedKeyUsage = clientAuth > extfile.cnf
openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out cert.pem -extfile extfile.cnf
rm -v client.csr server.csr
chmod -v 0400 ca-key.pem key.pem server-key.pem
chmod -v 0444 ca.pem server-cert.pem cert.pem
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment