Skip to content

Instantly share code, notes, and snippets.

@kekru

kekru/1-Enable Docker Remote API with TLS client verification.md

Last active September 20, 2025 16:38
Show Gist options
  • Save kekru/974e40bb1cd4b947a53cca5ba4b0bbe5 to your computer and use it in GitHub Desktop.
Save kekru/974e40bb1cd4b947a53cca5ba4b0bbe5 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. kekru revised this gist Oct 31, 2019. 1 changed file with 8 additions and 3 deletions.
    11 changes: 8 additions & 3 deletions 1-Enable Docker Remote API with TLS client verification.md
    View file
    Original file line number Diff line number Diff line change
    @@ -26,10 +26,15 @@ Download the script and run like this:
    ```
    Now you have a directory `./certs` with certificates and keys for CA, server and client.

    # Enable Remote API with TLS
    # Enable Remote API with TLS (daemon.json)
    Make sure, you have a ca certificate and a server certificate with a server key.
    Open or create the file `/etc/docker/daemon.json`. This is the main configuration file for Docker.
    Take the content of the 2-daemon.json file of this gist and write it to /etc/docker/daemon.json. Edit the paths to your ca and server certificate files.
    Take the content of the 2-daemon.json file of this gist and write it to `/etc/docker/daemon.json`. Edit the paths to your ca and server certificate files.

    Restart your Docker engine with `sudo service docker restart`.
    The Docker Remote API is ready to use. You can run Docker commands from a remote device by using the ca.pem and the client certificate and key. Read [Run commands on remote Docker host](https://gist.github.com/kekru/4e6d49b4290a4eebc7b597c07eaf61f2) for more information.
    The Docker Remote API is ready to use. You can run Docker commands from a remote device by using the ca.pem and the client certificate and key. Read [Run commands on remote Docker host](https://gist.github.com/kekru/4e6d49b4290a4eebc7b597c07eaf61f2) for more information.

    # Enable Remote API with TLS (with a container)
    If you don't want to modify your daemon.json, you can use a helper container, that exposes the remote api for you:
    [kekru/docker-remote-api-tls](https://github.com/kekru/docker-remote-api-tls)
    This project can also create the certificate files on startup.
  2. kekru revised this gist Oct 29, 2017. 1 changed file with 4 additions and 4 deletions.
    8 changes: 4 additions & 4 deletions 1-Enable Docker Remote API with TLS client verification.md
    View file
    Original file line number Diff line number Diff line change
    @@ -10,17 +10,17 @@ First of all you need a few certificates and keys:
    ## Create certificate files
    You can create these files as described in the official docs in [Protect the Docker daemon socket](https://docs.docker.com/engine/security/https/).
    You can also use my [create-certs.sh](https://github.com/kekru/linux-utils/blob/master/cert-generate/create-certs.sh) script to create them.
    Download the script an run like this:
    Download the script and run like this:

    1. Create a CA with the password `yourSecretPassword` and `900` days until it wil expire. The files are in the directory `./certs`.
    1. Create a CA with the password `yourSecretPassword` and `900` days until it wil expire. The cert files will be in the directory `./certs`.
    ```bash
    ./create-certs.sh -m ca -pw yourSecretPassword -t certs -e 900
    ```
    2. Create server certificate and key with the password of step 1 `yourSecretPassword`, with the servername `myserver.example.com` and `365` days until it wil expire. The files are in the directory `./certs`.
    2. Create server certificate and key with the password of step 1 `yourSecretPassword`, with the servername `myserver.example.com` and `365` days until it wil expire. The cert files will be in the directory `./certs`.
    ```bash
    ./create-certs.sh -m server -h myserver.example.com -pw yourSecretPassword -t certs -e 365
    ```
    3. Create client certificate and key with the password of step 1 `yourSecretPassword`, with the clientname `testClient` (the name is interesting if you want to use authorization plugins later) and `365` days until it wil expire. The files are in the directory `./certs`.
    3. Create client certificate and key with the password of step 1 `yourSecretPassword`, with the clientname `testClient` (the name is interesting if you want to use authorization plugins later) and `365` days until it wil expire. The cert files will be in the directory `./certs`.
    ```bash
    ./create-certs.sh -m client -h testClient -pw yourSecretPassword -t certs -e 365
    ```
  3. kekru renamed this gist Oct 29, 2017. 1 changed file with 0 additions and 0 deletions.
    0 1-readme.md → ...emote API with TLS client verification.md
    View file
    File renamed without changes.
  4. kekru created this gist Oct 29, 2017.
    35 changes: 35 additions & 0 deletions 1-readme.md
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,35 @@
    # Enable Docker Remote API with TLS client verification
    Docker's Remote API can be secured via TLS and client certificate verification.
    First of all you need a few certificates and keys:
    + CA certificate
    + Server certificate
    + Server key
    + Client certificate
    + Client key

    ## Create certificate files
    You can create these files as described in the official docs in [Protect the Docker daemon socket](https://docs.docker.com/engine/security/https/).
    You can also use my [create-certs.sh](https://github.com/kekru/linux-utils/blob/master/cert-generate/create-certs.sh) script to create them.
    Download the script an run like this:

    1. Create a CA with the password `yourSecretPassword` and `900` days until it wil expire. The files are in the directory `./certs`.
    ```bash
    ./create-certs.sh -m ca -pw yourSecretPassword -t certs -e 900
    ```
    2. Create server certificate and key with the password of step 1 `yourSecretPassword`, with the servername `myserver.example.com` and `365` days until it wil expire. The files are in the directory `./certs`.
    ```bash
    ./create-certs.sh -m server -h myserver.example.com -pw yourSecretPassword -t certs -e 365
    ```
    3. Create client certificate and key with the password of step 1 `yourSecretPassword`, with the clientname `testClient` (the name is interesting if you want to use authorization plugins later) and `365` days until it wil expire. The files are in the directory `./certs`.
    ```bash
    ./create-certs.sh -m client -h testClient -pw yourSecretPassword -t certs -e 365
    ```
    Now you have a directory `./certs` with certificates and keys for CA, server and client.

    # Enable Remote API with TLS
    Make sure, you have a ca certificate and a server certificate with a server key.
    Open or create the file `/etc/docker/daemon.json`. This is the main configuration file for Docker.
    Take the content of the 2-daemon.json file of this gist and write it to /etc/docker/daemon.json. Edit the paths to your ca and server certificate files.

    Restart your Docker engine with `sudo service docker restart`.
    The Docker Remote API is ready to use. You can run Docker commands from a remote device by using the ca.pem and the client certificate and key. Read [Run commands on remote Docker host](https://gist.github.com/kekru/4e6d49b4290a4eebc7b597c07eaf61f2) for more information.
    8 changes: 8 additions & 0 deletions 2-daemon.json
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,8 @@
    {
    "hosts": ["unix:///var/run/docker.sock", "tcp://0.0.0.0:2376"],
    "tls": true,
    "tlscacert": "/data/certs/ca.pem",
    "tlscert": "/data/certs/server-cert.pem",
    "tlskey": "/data/certs/server-key.pem",
    "tlsverify": true
    }