Creating and setting up Docker for TLS

create-docker-tls.sh

#!/bin/bash

# At the end you will have 6 files:
# ca/ca.pem - used by both client and server to verify each other certificates
# ca/ca-key.pem - keep it in secret it may be used to generate new certificates
# client/cert.pem, client/key.pem - in conjunction with /ca/ca.pem will be used by client to speak with server
# server/cert.pem, server/key.pem - in conjunction with /ca/ca.pem will be used by server
#
# NOTICE: DO NOT FORGET to set your **Server** ip and dns in server/openssl.cnf each time you generating new server certificates
#
# Original: http://tech.paulcz.net/2016/01/secure-docker-with-tls/

echo "Certificate Authority"
echo "---------------------"
echo
mkdir -p ca
openssl genrsa -out ca/ca-key.pem 2048
openssl req -x509 -new -nodes -key ca/ca-key.pem -days 3650 -out ca/ca.pem -subj '/CN=ca'


echo "Client Certificates"
echo "-------------------"
echo
mkdir -p client
cat << EOF | tee -a client/openssl.cnf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
EOF

openssl genrsa -out client/key.pem 2048
openssl req -new -key client/key.pem -out client/cert.csr -subj '/CN=client' -config client/openssl.cnf
openssl x509 -req -in client/cert.csr -CA ca/ca.pem -CAkey ca/ca-key.pem -CAcreateserial -out client/cert.pem -days 3650 -extensions v3_req -extfile client/openssl.cnf
rm -f server/cert.csr server/openssl.cnf


echo "Server Certificates"
echo "-------------------"
echo
mkdir -p server
cat << EOF | tee -a server/openssl.cnf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = docker.rabota.local
IP.1 = 192.168.4.21
IP.2 = 127.0.0.1
EOF

openssl genrsa -out server/key.pem 2048
openssl req -new -key server/key.pem -out server/cert.csr -subj "/CN=server" -config server/openssl.cnf
openssl x509 -req -in server/cert.csr -CA ca/ca.pem -CAkey ca/ca-key.pem -CAcreateserial -out server/cert.pem -days 3650 -extensions v3_req -extfile server/openssl.cnf
rm -f server/cert.csr server/openssl.cnf

Usage Notes (Thank you to original authors!)

---

1. On a dev machine, create a new folder to hold the certs and cd into it
2. wget the script into the new folder and make it executable
3. Change the [alt_names] section of the script to match the remote docker server (where the docker daemon is running)
4. Run the script
5. Run the following commands to set up the local dev env (replace $USER and docker-server with the remote user and remote server name)

On the local machine

mkdir ~/.docker/
cp {ca/ca.pem,client/cert.pem,client/key.pem} ~/.docker/
chmod 444 {~/.docker/ca.pem,~/.docker/cert.pem} && chmod 400 ~/.docker/key.pem
scp {ca/ca.pem,server/cert.pem,server/key.pem} $USER@docker-server:/home/$USER/server-certs

On the remote host (docker-server)

sudo cp {~/server-certs/ca.pem,~/server-certs/cert.pem,~/server-certs/key.pem} /etc/docker
sudo chmod 444 {/etc/docker/ca.pem,/etc/docker/cert.pem} && sudo chmod 400 /etc/docker/key.pem
rm -rf ~/server-certs/

Test the connection

DOCKER_HOST=tcp://docker-server:2376 DOCKER_TLS_VERIFY=1 DOCKER_CERT_PATH=~/.docker/ docker info