{"id":20789986,"url":"https://github.com/unloop/docker-ssl-secure","last_synced_at":"2026-04-14T01:32:01.827Z","repository":{"id":91771546,"uuid":"92485926","full_name":"unloop/docker-ssl-secure","owner":"unloop","description":"Securing Docker with TLS certificates","archived":false,"fork":false,"pushed_at":"2017-12-18T10:43:41.000Z","size":6,"stargazers_count":0,"open_issues_count":0,"forks_count":2,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-12-27T11:00:05.965Z","etag":null,"topics":["docker","docker-swarm","generator","openssl","script","secure","shell","ssl-certificates","tls"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/unloop.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-05-26T07:48:51.000Z","updated_at":"2017-05-26T08:25:32.000Z","dependencies_parsed_at":"2023-03-13T17:38:54.436Z","dependency_job_id":null,"html_url":"https://github.com/unloop/docker-ssl-secure","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/unloop/docker-ssl-secure","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/unloop%2Fdocker-ssl-secure","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/unloop%2Fdocker-ssl-secure/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/unloop%2Fdocker-ssl-secure/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/unloop%2Fdocker-ssl-secure/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/unloop","download_url":"https://codeload.github.com/unloop/docker-ssl-secure/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/unloop%2Fdocker-ssl-secure/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31778580,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-14T00:11:49.126Z","status":"ssl_error","status_checked_at":"2026-04-14T00:10:29.837Z","response_time":93,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["docker","docker-swarm","generator","openssl","script","secure","shell","ssl-certificates","tls"],"created_at":"2024-11-17T15:30:28.184Z","updated_at":"2026-04-14T01:32:01.804Z","avatar_url":"https://github.com/unloop.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"Securing Docker with TLS certificates\n=======================================\n\n#### ===\u003e Creating directories for both the server and client certificate sets\n```sh\n$ sudo mkdir -p /etc/docker/ssl\n$ mkdir -p ~/.docker/ssl\n```\n\n#### ===\u003e Create and sign a CA key and certificate and copy the CA certificate into /etc/docker/ssl\n```sh\n$ openssl genrsa -out ~/.docker/ssl/ca-key.pem 2048\n.+++\n..........................................................................................................+++\ne is 65537 (0x10001)\n\n$ openssl req -x509 -new -nodes -key ~/.docker/ssl/ca-key.pem \\\n  -days 10000 -out ~/.docker/ssl/ca.pem -subj '/CN=docker-CA'\n\n$ sudo cp ~/.docker/ssl/ca.pem /etc/docker/ssl\n```\n\n#### ===\u003e Configuration file for the Docker client ~/.docker/ssl/openssl.cnf\n```sh\n[req]\nreq_extensions = v3_req\ndistinguished_name = req_distinguished_name\n[req_distinguished_name]\n[ v3_req ]\nbasicConstraints = CA:FALSE\nkeyUsage = nonRepudiation, digitalSignature, keyEncipherment\nextendedKeyUsage = serverAuth, clientAuth\n```\n\n#### ===\u003e Configuration file for the Docker client /etc/docker/ssl/openssl.cnf\n```sh\n[req]\nreq_extensions = v3_req\ndistinguished_name = req_distinguished_name\n[req_distinguished_name]\n[ v3_req ]\nbasicConstraints = CA:FALSE\nkeyUsage = nonRepudiation, digitalSignature, keyEncipherment\nextendedKeyUsage = serverAuth, clientAuth\nsubjectAltName = @alt_names\n[alt_names]\nDNS.1 = docker.local\nIP.2 = 127.0.0.1\n```\n\n#### ===\u003e Create and sign a certificate for the client\n```sh\n$ openssl genrsa -out ~/.docker/ssl/key.pem 2048\n....................................+++\n.............+++\ne is 65537 (0x10001)\n\n$ openssl req -new -key ~/.docker/ssl/key.pem -out ~/.docker/ssl/cert.csr \\\n  -subj '/CN=docker-client' -config ~/.docker/ssl/openssl.cnf\n\n$ openssl x509 -req -in ~/.docker/ssl/cert.csr -CA ~/.docker/ssl/ca.pem \\\n  -CAkey ~/.docker/ssl/ca-key.pem -CAcreateserial \\\n  -out ~/.docker/ssl/cert.pem -days 365 -extensions v3_req \\\n  -extfile ~/.docker/ssl/openssl.cnf\nSignature ok\nsubject=/CN=docker-client\nGetting CA Private Key\n```\n\n#### ===\u003e Create and sign a certificate for the server\n```sh\n$ sudo openssl genrsa -out /etc/docker/ssl/key.pem 2048\n................................................................................+++\n....................................+++\ne is 65537 (0x10001)\n\n$ sudo openssl req -new -key /etc/docker/ssl/key.pem \\\n  -out /etc/docker/ssl/cert.csr \\\n  -subj '/CN=docker-server' -config /etc/docker/ssl/openssl.cnf\n\n$ sudo openssl x509 -req -in /etc/docker/ssl/cert.csr -CA ~/.docker/ssl/ca.pem \\\n  -CAkey ~/.docker/ssl/ca-key.pem -CAcreateserial \\\n  -out /etc/docker/ssl/cert.pem -days 365 -extensions v3_req \\\n  -extfile /etc/docker/ssl/openssl.cnf\nSignature ok\nsubject=/CN=docker-client\nGetting CA Private Key\n```\n\n#### ===\u003e Enabling Docker Remote API on Ubuntu using systemd\n\n1. Edit the file /lib/systemd/system/docker.service\n```sh\n$ sudo vi /lib/systemd/system/docker.service\n```\n2. Modify the line that starts with ExecStart to look like this:\n```sh\nExecStart=/usr/bin/dockerd -H fd:// -H unix:///var/run/docker.sock -H tcp://0.0.0.0:2376 --tlsverify --tlscacert=/etc/docker/ssl/ca.pem --tlscert=/etc/docker/ssl/cert.pem --tlskey=/etc/docker/ssl/key.pem\n```\n3. Save the modified file\n4. Make sure the Docker service notices the modified configuration\n```sh\n$ systemctl daemon-reload\n```\n5. Reload systemd and the Docker service\n```sh\n$ sudo systemctl daemon-reload\n$ sudo systemctl restart docker\n```\n6. Set some environment variables to enable TLS for the client and use the client key we created\n```sh\n$ export DOCKER_HOST=tcp://docker.local:2376\n$ export DOCKER_TLS_VERIFY=1\n$ export DOCKER_CERT_PATH=~/.docker/ssl\n$ docker info\n```\n\n#### ===\u003e Using the TLS certificates with Docker Swarm\n\nTo secure Docker Swarm using these TLS certificates you will need to create TLS certificate/key pairs for each server using the same CA.\nAdd some arguments to the docker run command that you start Swarm Manager with the following:\n```sh\n$ docker run -d --name swarm-manager \\\n  -v /etc/docker/ssl:/etc/docker/ssl \\\n  --net=host swarm:latest manage \\\n  --tlsverify \\\n  --tlscacert=/etc/docker/ssl/ca.pem \\\n  --tlscert=/etc/docker/ssl/cert.pem \\\n  --tlskey=/etc/docker/ssl/key.pem \\\n  etcd://127.0.0.1:2379\n```\nWhich you can then access using the docker client\n```sh\n$ export DOCKER_HOST=tcp://docker.local:2376\n$ export DOCKER_TLS_VERIFY=1\n$ export DOCKER_CERT_PATH=~/.docker/ssl\n$ docker info\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Funloop%2Fdocker-ssl-secure","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Funloop%2Fdocker-ssl-secure","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Funloop%2Fdocker-ssl-secure/lists"}