stackoom
  简体   繁体   中英

Docker TLS - How to create key on local machine

 原文  2020-02-12 14:10:28       docker/ ssl/ openssl

Question

Pre knowledge:

So I started using docker myself and installed it on my server and enabled TLS. I followed this tutorial: https://docs.docker.com/engine/security/https/

This tutorial will eventually give you 6 files:

  1. -r-------- ca-key.pem
  2. -r--r--r-- ca.pem
  3. -r--r--r-- cert.pem
  4. -r-------- key.pem
  5. -r--r--r-- server-cert.pem
  6. -r-------- server-key.pem

The owner of these files is root . I copied the ca.pem , cert.pem and key.pem , I used them to connect from my local portainer instance. (Actually I only use cert.pem and key.pem since I only have client verification on)

DOCKER HOST:

{
  "hosts": [
    "unix:///var/run/docker.sock",
    "tcp://0.0.0.0:2376"
  ],
  "storage-driver": "overlay2",
  "tls": true,
  "tlscacert": "/etc/docker/certs/ca.pem",
  "tlscert": "/etc/docker/certs/server-cert.pem",
  "tlskey": "/etc/docker/certs/server-key.pem",
  "tlsverify": true
}

My problem:

The company where I work installed docker for me and enabled TLS, put all the pem files in a directory which I can access... Problem is, I cannot download the key.pem since the owner is root and I won't get access to it.

I can download the next files:

  1. ca.pem
  2. cert.pem
  3. server-cert.pem

Is is possible for me; with access to those files ONLY , not changing anything on the server, to access docker over TLS? How can I create my own key.pem , or is there another way?

Sorry if this is common knowledge, I just could not find my answer anywhere, or I did not know what I was exactly searching for...

2 answers

solution1
 2  2020-02-12 14:55:40

Yes, you can work against the docker-daemon on that server and you don't need to create another key and certificate for the server.

Download the server-cert.pem and export the following environment variables in your local session:

DOCKER_TLS_VERIFY="1"
DOCKER_CERT_PATH="server-cert.pem"
DOCKER_HOST= "tcp://HOST:2376"

Now you can use your local docker-client and work against the docker-daemon on your server. eg docker ps should display containers running on the remote docker.

solution2
 1 ACCPTED  2020-02-17 08:53:57

Private keys create the certificates, you can't create a key from a cert. If your docker wants a 2 way authentication you will need access to the private key. It cannot be done without.

You'll need the following files (for client-server authentication):

  1. ca.pem
  2. cert.pem
  3. key.pem

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to pass local machine's SSH key to docker container? How to set TLS Certificates for a machine in docker-machine docker-machine create node without tls verification How to look for a docker image on the local machine How to access Kafka in docker machine from local? How to mount local volumes in docker machine How can I create a Docker container whose timezone matches that of my local machine? Docker Local Machine How to create a docker-machine with aws driver with a key-pair that already exists Docker machine switch to local docker
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM