kotovalexarian-likes-github/moby--moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Code Releases Activity

Merge pull request #9896 from flowlo/doc-https

Browse source 
doc: Improve article on HTTPS
This commit is contained in:
Sven Dowideit 2015-01-07 10:21:07 +10:00
commit 2f588c69f2
1 changed files with 15 additions and 29 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

44
docs/sources/articles/https.md
View file

@ -15,29 +15,27 @@ In the daemon mode, it will only allow connections from clients
authenticated by a certificate signed by that CA. In the client mode, authenticated by a certificate signed by that CA. In the client mode,
it will only connect to servers with a certificate signed by that CA. it will only connect to servers with a certificate signed by that CA.
> **Warning**: > **Warning**:
> Using TLS and managing a CA is an advanced topic. Please familiarize yourself > Using TLS and managing a CA is an advanced topic. Please familiarize yourself
> with OpenSSL, x509 and TLS before using it in production. > with OpenSSL, x509 and TLS before using it in production.
> **Warning**: > **Warning**:
> These TLS commands will only generate a working set of certificates on Linux. > These TLS commands will only generate a working set of certificates on Linux.
> Mac OS X comes with a version of OpenSSL that is incompatible with the > Mac OS X comes with a version of OpenSSL that is incompatible with the
> certificates that Docker requires. > certificates that Docker requires.
## Create a CA, server and client keys with OpenSSL ## Create a CA, server and client keys with OpenSSL
First, initialize the CA serial file and generate CA private and public First generate CA private and public keys:
keys:
$ echo 01 > ca.srl $ openssl genrsa -aes256 -out ca-key.pem 2048
$ openssl genrsa -des3 -out ca-key.pem 2048
Generating RSA private key, 2048 bit long modulus Generating RSA private key, 2048 bit long modulus
......+++ ......+++
...............+++ ...............+++
e is 65537 (0x10001) e is 65537 (0x10001)
Enter pass phrase for ca-key.pem: Enter pass phrase for ca-key.pem:
Verifying - Enter pass phrase for ca-key.pem: Verifying - Enter pass phrase for ca-key.pem:
$ openssl req -new -x509 -days 365 -key ca-key.pem -out ca.pem $ openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
Enter pass phrase for ca-key.pem: Enter pass phrase for ca-key.pem:
You are about to be asked to enter information that will be incorporated You are about to be asked to enter information that will be incorporated
into your certificate request. into your certificate request.
@ -58,20 +56,17 @@ Now that we have a CA, you can create a server key and certificate
signing request (CSR). Make sure that "Common Name" (i.e. server FQDN or YOUR signing request (CSR). Make sure that "Common Name" (i.e. server FQDN or YOUR
name) matches the hostname you will use to connect to Docker: name) matches the hostname you will use to connect to Docker:
$ openssl genrsa -des3 -out server-key.pem 2048 $ openssl genrsa -out server-key.pem 2048
Generating RSA private key, 2048 bit long modulus Generating RSA private key, 2048 bit long modulus
......................................................+++ ......................................................+++
............................................+++ ............................................+++
e is 65537 (0x10001) e is 65537 (0x10001)
Enter pass phrase for server-key.pem:
Verifying - Enter pass phrase for server-key.pem:
$ openssl req -subj '/CN=<Your Hostname Here>' -new -key server-key.pem -out server.csr $ openssl req -subj '/CN=<Your Hostname Here>' -new -key server-key.pem -out server.csr
Enter pass phrase for server-key.pem:
Next, we're going to sign the key with our CA: Next, we're going to sign the key with our CA:
$ openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem \ $ openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem \
-out server-cert.pem -CAcreateserial -out server-cert.pem
Signature ok Signature ok
subject=/CN=your.host.com subject=/CN=your.host.com
Getting CA Private Key Getting CA Private Key
@ -80,15 +75,12 @@ Next, we're going to sign the key with our CA:
For client authentication, create a client key and certificate signing For client authentication, create a client key and certificate signing
request: request:
$ openssl genrsa -des3 -out key.pem 2048 $ openssl genrsa -out key.pem 2048
Generating RSA private key, 2048 bit long modulus Generating RSA private key, 2048 bit long modulus
...............................................+++ ...............................................+++
...............................................................+++ ...............................................................+++
e is 65537 (0x10001) e is 65537 (0x10001)
Enter pass phrase for key.pem:
Verifying - Enter pass phrase for key.pem:
$ openssl req -subj '/CN=client' -new -key key.pem -out client.csr $ openssl req -subj '/CN=client' -new -key key.pem -out client.csr
Enter pass phrase for key.pem:
To make the key suitable for client authentication, create an extensions To make the key suitable for client authentication, create an extensions
config file: config file:
@ -98,21 +90,12 @@ config file:
Now sign the key: Now sign the key:
$ openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem \ $ openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem \
-out cert.pem -extfile extfile.cnf -CAcreateserial -out cert.pem -extfile extfile.cnf
Signature ok Signature ok
subject=/CN=client subject=/CN=client
Getting CA Private Key Getting CA Private Key
Enter pass phrase for ca-key.pem: Enter pass phrase for ca-key.pem:
Finally, you need to remove the passphrase from the client and server key:
$ openssl rsa -in server-key.pem -out server-key.pem
Enter pass phrase for server-key.pem:
writing RSA key
$ openssl rsa -in key.pem -out key.pem
Enter pass phrase for key.pem:
writing RSA key
Now you can make the Docker daemon only accept connections from clients Now you can make the Docker daemon only accept connections from clients
providing a certificate trusted by our CA: providing a certificate trusted by our CA:
@ -128,7 +111,7 @@ need to provide your client keys, certificates and trusted CA:
> **Note**: > **Note**:
> Docker over TLS should run on TCP port 2376. > Docker over TLS should run on TCP port 2376.
> **Warning**: > **Warning**:
> As shown in the example above, you don't have to run the `docker` client > As shown in the example above, you don't have to run the `docker` client
> with `sudo` or the `docker` group when you use certificate authentication. > with `sudo` or the `docker` group when you use certificate authentication.
> That means anyone with the keys can give any instructions to your Docker > That means anyone with the keys can give any instructions to your Docker
@ -137,7 +120,7 @@ need to provide your client keys, certificates and trusted CA:
## Secure by default ## Secure by default
If you want to secure your Docker client connections by default, you can move If you want to secure your Docker client connections by default, you can move
the files to the `.docker` directory in your home directory - and set the the files to the `.docker` directory in your home directory - and set the
`DOCKER_HOST` and `DOCKER_TLS_VERIFY` variables as well (instead of passing `DOCKER_HOST` and `DOCKER_TLS_VERIFY` variables as well (instead of passing
`-H=tcp://:2376` and `--tlsverify` on every call). `-H=tcp://:2376` and `--tlsverify` on every call).
@ -184,4 +167,7 @@ location using the environment variable `DOCKER_CERT_PATH`.
To use `curl` to make test API requests, you need to use three extra command line To use `curl` to make test API requests, you need to use three extra command line
flags: flags:
$ curl --insecure --cert ~/.docker/cert.pem --key ~/.docker/key.pem https://boot2docker:2376/images/json` $ curl https://boot2docker:2376/images/json \
--cert ~/.docker/cert.pem \
--key ~/.docker/key.pem \
--cacert ~/.docker/ca.pem