github.com/stchris/docker@v1.4.2-0.20150106053530-1510a324dbd5/docs/sources/articles/https.md (about) 1 page_title: Running Docker with HTTPS 2 page_description: How to setup and run Docker with HTTPS 3 page_keywords: docker, docs, article, example, https, daemon, tls, ca, certificate 4 5 # Running Docker with https 6 7 By default, Docker runs via a non-networked Unix socket. It can also 8 optionally communicate using a HTTP socket. 9 10 If you need Docker to be reachable via the network in a safe manner, you can 11 enable TLS by specifying the `tlsverify` flag and pointing Docker's 12 `tlscacert` flag to a trusted CA certificate. 13 14 In the daemon mode, it will only allow connections from clients 15 authenticated by a certificate signed by that CA. In the client mode, 16 it will only connect to servers with a certificate signed by that CA. 17 18 > **Warning**: 19 > Using TLS and managing a CA is an advanced topic. Please familiarize yourself 20 > with OpenSSL, x509 and TLS before using it in production. 21 22 > **Warning**: 23 > These TLS commands will only generate a working set of certificates on Linux. 24 > Mac OS X comes with a version of OpenSSL that is incompatible with the 25 > certificates that Docker requires. 26 27 ## Create a CA, server and client keys with OpenSSL 28 29 First, initialize the CA serial file and generate CA private and public 30 keys: 31 32 $ echo 01 > ca.srl 33 $ openssl genrsa -des3 -out ca-key.pem 2048 34 Generating RSA private key, 2048 bit long modulus 35 ......+++ 36 ...............+++ 37 e is 65537 (0x10001) 38 Enter pass phrase for ca-key.pem: 39 Verifying - Enter pass phrase for ca-key.pem: 40 $ openssl req -new -x509 -days 365 -key ca-key.pem -out ca.pem 41 Enter pass phrase for ca-key.pem: 42 You are about to be asked to enter information that will be incorporated 43 into your certificate request. 44 What you are about to enter is what is called a Distinguished Name or a DN. 45 There are quite a few fields but you can leave some blank 46 For some fields there will be a default value, 47 If you enter '.', the field will be left blank. 48 ----- 49 Country Name (2 letter code) [AU]: 50 State or Province Name (full name) [Some-State]:Queensland 51 Locality Name (eg, city) []:Brisbane 52 Organization Name (eg, company) [Internet Widgits Pty Ltd]:Docker Inc 53 Organizational Unit Name (eg, section) []:Boot2Docker 54 Common Name (e.g. server FQDN or YOUR name) []:your.host.com 55 Email Address []:Sven@home.org.au 56 57 Now that we have a CA, you can create a server key and certificate 58 signing request (CSR). Make sure that "Common Name" (i.e. server FQDN or YOUR 59 name) matches the hostname you will use to connect to Docker: 60 61 $ openssl genrsa -des3 -out server-key.pem 2048 62 Generating RSA private key, 2048 bit long modulus 63 ......................................................+++ 64 ............................................+++ 65 e is 65537 (0x10001) 66 Enter pass phrase for server-key.pem: 67 Verifying - Enter pass phrase for server-key.pem: 68 $ openssl req -subj '/CN=<Your Hostname Here>' -new -key server-key.pem -out server.csr 69 Enter pass phrase for server-key.pem: 70 71 Next, we're going to sign the key with our CA: 72 73 $ openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem \ 74 -out server-cert.pem 75 Signature ok 76 subject=/CN=your.host.com 77 Getting CA Private Key 78 Enter pass phrase for ca-key.pem: 79 80 For client authentication, create a client key and certificate signing 81 request: 82 83 $ openssl genrsa -des3 -out key.pem 2048 84 Generating RSA private key, 2048 bit long modulus 85 ...............................................+++ 86 ...............................................................+++ 87 e is 65537 (0x10001) 88 Enter pass phrase for key.pem: 89 Verifying - Enter pass phrase for key.pem: 90 $ openssl req -subj '/CN=client' -new -key key.pem -out client.csr 91 Enter pass phrase for key.pem: 92 93 To make the key suitable for client authentication, create an extensions 94 config file: 95 96 $ echo extendedKeyUsage = clientAuth > extfile.cnf 97 98 Now sign the key: 99 100 $ openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem \ 101 -out cert.pem -extfile extfile.cnf 102 Signature ok 103 subject=/CN=client 104 Getting CA Private Key 105 Enter pass phrase for ca-key.pem: 106 107 Finally, you need to remove the passphrase from the client and server key: 108 109 $ openssl rsa -in server-key.pem -out server-key.pem 110 Enter pass phrase for server-key.pem: 111 writing RSA key 112 $ openssl rsa -in key.pem -out key.pem 113 Enter pass phrase for key.pem: 114 writing RSA key 115 116 Now you can make the Docker daemon only accept connections from clients 117 providing a certificate trusted by our CA: 118 119 $ docker -d --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem \ 120 -H=0.0.0.0:2376 121 122 To be able to connect to Docker and validate its certificate, you now 123 need to provide your client keys, certificates and trusted CA: 124 125 $ docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem \ 126 -H=dns-name-of-docker-host:2376 version 127 128 > **Note**: 129 > Docker over TLS should run on TCP port 2376. 130 131 > **Warning**: 132 > As shown in the example above, you don't have to run the `docker` client 133 > with `sudo` or the `docker` group when you use certificate authentication. 134 > That means anyone with the keys can give any instructions to your Docker 135 > daemon, giving them root access to the machine hosting the daemon. Guard 136 > these keys as you would a root password! 137 138 ## Secure by default 139 140 If you want to secure your Docker client connections by default, you can move 141 the files to the `.docker` directory in your home directory - and set the 142 `DOCKER_HOST` and `DOCKER_TLS_VERIFY` variables as well (instead of passing 143 `-H=tcp://:2376` and `--tlsverify` on every call). 144 145 $ cp ca.pem ~/.docker/ca.pem 146 $ cp cert.pem ~/.docker/cert.pem 147 $ cp key.pem ~/.docker/key.pem 148 $ export DOCKER_HOST=tcp://:2376 149 $ export DOCKER_TLS_VERIFY=1 150 151 Docker will now connect securely by default: 152 153 $ docker ps 154 155 ## Other modes 156 157 If you don't want to have complete two-way authentication, you can run 158 Docker in various other modes by mixing the flags. 159 160 ### Daemon modes 161 162 - `tlsverify`, `tlscacert`, `tlscert`, `tlskey` set: Authenticate clients 163 - `tls`, `tlscert`, `tlskey`: Do not authenticate clients 164 165 ### Client modes 166 167 - `tls`: Authenticate server based on public/default CA pool 168 - `tlsverify`, `tlscacert`: Authenticate server based on given CA 169 - `tls`, `tlscert`, `tlskey`: Authenticate with client certificate, do not 170 authenticate server based on given CA 171 - `tlsverify`, `tlscacert`, `tlscert`, `tlskey`: Authenticate with client 172 certificate and authenticate server based on given CA 173 174 If found, the client will send its client certificate, so you just need 175 to drop your keys into `~/.docker/<ca, cert or key>.pem`. Alternatively, 176 if you want to store your keys in another location, you can specify that 177 location using the environment variable `DOCKER_CERT_PATH`. 178 179 $ export DOCKER_CERT_PATH=${HOME}/.docker/zone1/ 180 $ docker --tlsverify ps 181 182 ### Connecting to the Secure Docker port using `curl` 183 184 To use `curl` to make test API requests, you need to use three extra command line 185 flags: 186 187 $ curl --insecure --cert ~/.docker/cert.pem --key ~/.docker/key.pem https://boot2docker:2376/images/json`