mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
doc: Improve article on HTTPS
* Adjust header to match _page_title * Add instructions on deletion of CSRs and setting permissions * Simplify some path expressions and commands * Consqeuently use ~ instead of ${HOME} * Precise formulation ('key' vs. 'public key') * Fix wrong indentation of output of `openssl req` * Use dash ('--') instead of minus ('-') Remark on permissions: It's not a problem to `chmod 0400` the private keys, because the Docker daemon runs as root (can read the file anyway) and the Docker client runs as user. Signed-off-by: Lorenz Leutgeb <lorenz.leutgeb@gmail.com>
This commit is contained in:
parent
10ab6dcb4f
commit
02a793c6a1
1 changed files with 40 additions and 25 deletions
|
@ -40,20 +40,20 @@ First generate CA private and public keys:
|
||||||
Verifying - Enter pass phrase for ca-key.pem:
|
Verifying - Enter pass phrase for ca-key.pem:
|
||||||
$ openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
|
$ openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
|
||||||
Enter pass phrase for ca-key.pem:
|
Enter pass phrase for ca-key.pem:
|
||||||
You are about to be asked to enter information that will be incorporated
|
You are about to be asked to enter information that will be incorporated
|
||||||
into your certificate request.
|
into your certificate request.
|
||||||
What you are about to enter is what is called a Distinguished Name or a DN.
|
What you are about to enter is what is called a Distinguished Name or a DN.
|
||||||
There are quite a few fields but you can leave some blank
|
There are quite a few fields but you can leave some blank
|
||||||
For some fields there will be a default value,
|
For some fields there will be a default value,
|
||||||
If you enter '.', the field will be left blank.
|
If you enter '.', the field will be left blank.
|
||||||
-----
|
-----
|
||||||
Country Name (2 letter code) [AU]:
|
Country Name (2 letter code) [AU]:
|
||||||
State or Province Name (full name) [Some-State]:Queensland
|
State or Province Name (full name) [Some-State]:Queensland
|
||||||
Locality Name (eg, city) []:Brisbane
|
Locality Name (eg, city) []:Brisbane
|
||||||
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Docker Inc
|
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Docker Inc
|
||||||
Organizational Unit Name (eg, section) []:Boot2Docker
|
Organizational Unit Name (eg, section) []:Boot2Docker
|
||||||
Common Name (e.g. server FQDN or YOUR name) []:$HOST
|
Common Name (e.g. server FQDN or YOUR name) []:$HOST
|
||||||
Email Address []:Sven@home.org.au
|
Email Address []:Sven@home.org.au
|
||||||
|
|
||||||
Now that we have a CA, you can create a server key and certificate
|
Now that we have a CA, you can create a server key and certificate
|
||||||
signing request (CSR). Make sure that "Common Name" (i.e., server FQDN or YOUR
|
signing request (CSR). Make sure that "Common Name" (i.e., server FQDN or YOUR
|
||||||
|
@ -69,7 +69,7 @@ name) matches the hostname you will use to connect to Docker:
|
||||||
e is 65537 (0x10001)
|
e is 65537 (0x10001)
|
||||||
$ openssl req -subj "/CN=$HOST" -new -key server-key.pem -out server.csr
|
$ openssl req -subj "/CN=$HOST" -new -key server-key.pem -out server.csr
|
||||||
|
|
||||||
Next, we're going to sign the key with our CA:
|
Next, we're going to sign the public key with our CA:
|
||||||
|
|
||||||
$ openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem \
|
$ openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem \
|
||||||
-CAcreateserial -out server-cert.pem
|
-CAcreateserial -out server-cert.pem
|
||||||
|
@ -93,7 +93,7 @@ config file:
|
||||||
|
|
||||||
$ echo extendedKeyUsage = clientAuth > extfile.cnf
|
$ echo extendedKeyUsage = clientAuth > extfile.cnf
|
||||||
|
|
||||||
Now sign the key:
|
Now sign the public key:
|
||||||
|
|
||||||
$ openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem \
|
$ openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem \
|
||||||
-CAcreateserial -out cert.pem -extfile extfile.cnf
|
-CAcreateserial -out cert.pem -extfile extfile.cnf
|
||||||
|
@ -102,6 +102,24 @@ Now sign the key:
|
||||||
Getting CA Private Key
|
Getting CA Private Key
|
||||||
Enter pass phrase for ca-key.pem:
|
Enter pass phrase for ca-key.pem:
|
||||||
|
|
||||||
|
After generating `cert.pem` and `server-cert.pem` you can safely remove the
|
||||||
|
two certificate signing requests:
|
||||||
|
|
||||||
|
$ rm -v client.csr server.csr
|
||||||
|
|
||||||
|
With a default `umask` of 022 your secret keys will be *world-readable* and
|
||||||
|
writable for you and your group.
|
||||||
|
|
||||||
|
To remove write permissions for your keys in order to protect them from accidental
|
||||||
|
damage and make them only readable to you issue the following file mode changes:
|
||||||
|
|
||||||
|
$ chmod -v 0400 ca-key.pem key.pem server-key.pem
|
||||||
|
|
||||||
|
Certificates can be world-readable, but you might want to remove write access to
|
||||||
|
prevent accidental damage:
|
||||||
|
|
||||||
|
$ chmod -v 0444 ca.pem server-cert.pem cert.pem
|
||||||
|
|
||||||
Now you can make the Docker daemon only accept connections from clients
|
Now you can make the Docker daemon only accept connections from clients
|
||||||
providing a certificate trusted by our CA:
|
providing a certificate trusted by our CA:
|
||||||
|
|
||||||
|
@ -130,16 +148,13 @@ need to provide your client keys, certificates and trusted CA:
|
||||||
## Secure by default
|
## Secure by default
|
||||||
|
|
||||||
If you want to secure your Docker client connections by default, you can move
|
If you want to secure your Docker client connections by default, you can move
|
||||||
the files to the `.docker` directory in your home directory - and set the
|
the files to the `.docker` directory in your home directory -- and set the
|
||||||
`DOCKER_HOST` and `DOCKER_TLS_VERIFY` variables as well (instead of passing
|
`DOCKER_HOST` and `DOCKER_TLS_VERIFY` variables as well (instead of passing
|
||||||
`-H=tcp://:2376` and `--tlsverify` on every call).
|
`-H=tcp://:2376` and `--tlsverify` on every call).
|
||||||
|
|
||||||
$ mkdir -p ~/.docker
|
$ mkdir -pv ~/.docker
|
||||||
$ cp ca.pem ~/.docker/ca.pem
|
$ cp -v {ca,cert,key}.pem ~/.docker
|
||||||
$ cp cert.pem ~/.docker/cert.pem
|
$ export DOCKER_HOST=tcp://:2376 DOCKER_TLS_VERIFY=1
|
||||||
$ cp key.pem ~/.docker/key.pem
|
|
||||||
$ export DOCKER_HOST=tcp://:2376
|
|
||||||
$ export DOCKER_TLS_VERIFY=1
|
|
||||||
|
|
||||||
Docker will now connect securely by default:
|
Docker will now connect securely by default:
|
||||||
|
|
||||||
|
@ -165,11 +180,11 @@ Docker in various other modes by mixing the flags.
|
||||||
certificate and authenticate server based on given CA
|
certificate and authenticate server based on given CA
|
||||||
|
|
||||||
If found, the client will send its client certificate, so you just need
|
If found, the client will send its client certificate, so you just need
|
||||||
to drop your keys into `~/.docker/<ca, cert or key>.pem`. Alternatively,
|
to drop your keys into `~/.docker/{ca,cert,key}.pem`. Alternatively,
|
||||||
if you want to store your keys in another location, you can specify that
|
if you want to store your keys in another location, you can specify that
|
||||||
location using the environment variable `DOCKER_CERT_PATH`.
|
location using the environment variable `DOCKER_CERT_PATH`.
|
||||||
|
|
||||||
$ export DOCKER_CERT_PATH=${HOME}/.docker/zone1/
|
$ export DOCKER_CERT_PATH=~/.docker/zone1/
|
||||||
$ docker --tlsverify ps
|
$ docker --tlsverify ps
|
||||||
|
|
||||||
### Connecting to the Secure Docker port using `curl`
|
### Connecting to the Secure Docker port using `curl`
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue