github.com/sbward/docker@v1.4.2-0.20150114010528-c9dab702bed3/docs/sources/articles/https.md (about) 1 page_title: Running Docker with HTTPS 2 page_description: How to setup and run Docker with HTTPS 3 page_keywords: docker, docs, article, example, https, daemon, tls, ca, certificate 4 5 # Running Docker with https 6 7 By default, Docker runs via a non-networked Unix socket. It can also 8 optionally communicate using a HTTP socket. 9 10 If you need Docker to be reachable via the network in a safe manner, you can 11 enable TLS by specifying the `tlsverify` flag and pointing Docker's 12 `tlscacert` flag to a trusted CA certificate. 13 14 In the daemon mode, it will only allow connections from clients 15 authenticated by a certificate signed by that CA. In the client mode, 16 it will only connect to servers with a certificate signed by that CA. 17 18 > **Warning**: 19 > Using TLS and managing a CA is an advanced topic. Please familiarize yourself 20 > with OpenSSL, x509 and TLS before using it in production. 21 22 > **Warning**: 23 > These TLS commands will only generate a working set of certificates on Linux. 24 > Mac OS X comes with a version of OpenSSL that is incompatible with the 25 > certificates that Docker requires. 26 27 ## Create a CA, server and client keys with OpenSSL 28 29 First generate CA private and public keys: 30 31 $ openssl genrsa -aes256 -out ca-key.pem 2048 32 Generating RSA private key, 2048 bit long modulus 33 ......+++ 34 ...............+++ 35 e is 65537 (0x10001) 36 Enter pass phrase for ca-key.pem: 37 Verifying - Enter pass phrase for ca-key.pem: 38 $ openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem 39 Enter pass phrase for ca-key.pem: 40 You are about to be asked to enter information that will be incorporated 41 into your certificate request. 42 What you are about to enter is what is called a Distinguished Name or a DN. 43 There are quite a few fields but you can leave some blank 44 For some fields there will be a default value, 45 If you enter '.', the field will be left blank. 46 ----- 47 Country Name (2 letter code) [AU]: 48 State or Province Name (full name) [Some-State]:Queensland 49 Locality Name (eg, city) []:Brisbane 50 Organization Name (eg, company) [Internet Widgits Pty Ltd]:Docker Inc 51 Organizational Unit Name (eg, section) []:Boot2Docker 52 Common Name (e.g. server FQDN or YOUR name) []:your.host.com 53 Email Address []:Sven@home.org.au 54 55 Now that we have a CA, you can create a server key and certificate 56 signing request (CSR). Make sure that "Common Name" (i.e. server FQDN or YOUR 57 name) matches the hostname you will use to connect to Docker: 58 59 $ openssl genrsa -out server-key.pem 2048 60 Generating RSA private key, 2048 bit long modulus 61 ......................................................+++ 62 ............................................+++ 63 e is 65537 (0x10001) 64 $ openssl req -subj '/CN=<Your Hostname Here>' -new -key server-key.pem -out server.csr 65 66 Next, we're going to sign the key with our CA: 67 68 $ openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem \ 69 -CAcreateserial -out server-cert.pem 70 Signature ok 71 subject=/CN=your.host.com 72 Getting CA Private Key 73 Enter pass phrase for ca-key.pem: 74 75 For client authentication, create a client key and certificate signing 76 request: 77 78 $ openssl genrsa -out key.pem 2048 79 Generating RSA private key, 2048 bit long modulus 80 ...............................................+++ 81 ...............................................................+++ 82 e is 65537 (0x10001) 83 $ openssl req -subj '/CN=client' -new -key key.pem -out client.csr 84 85 To make the key suitable for client authentication, create an extensions 86 config file: 87 88 $ echo extendedKeyUsage = clientAuth > extfile.cnf 89 90 Now sign the key: 91 92 $ openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem \ 93 -CAcreateserial -out cert.pem -extfile extfile.cnf 94 Signature ok 95 subject=/CN=client 96 Getting CA Private Key 97 Enter pass phrase for ca-key.pem: 98 99 Now you can make the Docker daemon only accept connections from clients 100 providing a certificate trusted by our CA: 101 102 $ docker -d --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem \ 103 -H=0.0.0.0:2376 104 105 To be able to connect to Docker and validate its certificate, you now 106 need to provide your client keys, certificates and trusted CA: 107 108 $ docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem \ 109 -H=dns-name-of-docker-host:2376 version 110 111 > **Note**: 112 > Docker over TLS should run on TCP port 2376. 113 114 > **Warning**: 115 > As shown in the example above, you don't have to run the `docker` client 116 > with `sudo` or the `docker` group when you use certificate authentication. 117 > That means anyone with the keys can give any instructions to your Docker 118 > daemon, giving them root access to the machine hosting the daemon. Guard 119 > these keys as you would a root password! 120 121 ## Secure by default 122 123 If you want to secure your Docker client connections by default, you can move 124 the files to the `.docker` directory in your home directory - and set the 125 `DOCKER_HOST` and `DOCKER_TLS_VERIFY` variables as well (instead of passing 126 `-H=tcp://:2376` and `--tlsverify` on every call). 127 128 $ cp ca.pem ~/.docker/ca.pem 129 $ cp cert.pem ~/.docker/cert.pem 130 $ cp key.pem ~/.docker/key.pem 131 $ export DOCKER_HOST=tcp://:2376 132 $ export DOCKER_TLS_VERIFY=1 133 134 Docker will now connect securely by default: 135 136 $ docker ps 137 138 ## Other modes 139 140 If you don't want to have complete two-way authentication, you can run 141 Docker in various other modes by mixing the flags. 142 143 ### Daemon modes 144 145 - `tlsverify`, `tlscacert`, `tlscert`, `tlskey` set: Authenticate clients 146 - `tls`, `tlscert`, `tlskey`: Do not authenticate clients 147 148 ### Client modes 149 150 - `tls`: Authenticate server based on public/default CA pool 151 - `tlsverify`, `tlscacert`: Authenticate server based on given CA 152 - `tls`, `tlscert`, `tlskey`: Authenticate with client certificate, do not 153 authenticate server based on given CA 154 - `tlsverify`, `tlscacert`, `tlscert`, `tlskey`: Authenticate with client 155 certificate and authenticate server based on given CA 156 157 If found, the client will send its client certificate, so you just need 158 to drop your keys into `~/.docker/<ca, cert or key>.pem`. Alternatively, 159 if you want to store your keys in another location, you can specify that 160 location using the environment variable `DOCKER_CERT_PATH`. 161 162 $ export DOCKER_CERT_PATH=${HOME}/.docker/zone1/ 163 $ docker --tlsverify ps 164 165 ### Connecting to the Secure Docker port using `curl` 166 167 To use `curl` to make test API requests, you need to use three extra command line 168 flags: 169 170 $ curl https://boot2docker:2376/images/json \ 171 --cert ~/.docker/cert.pem \ 172 --key ~/.docker/key.pem \ 173 --cacert ~/.docker/ca.pem