Configuring an SSL Certificate
Generate a certificate with a validity period of 10 years
Create a new directory on the server and switch to that directory
mkdir /etc/docker && cd /etc/docker
Copy the codeCreate a root certificate RSA private key
openssl genrsa -aes256 -out ca-key.pem 4096
Copy the codeNote: The password must be entered twice. Please remember the password, which will be used in the next step
Creating a CA Certificate
openssl req -new -x509 -days 3650 -key ca-key.pem -sha256 -out ca.pem
Copy the codeNote: The key generated in this step creates a certificate, that is, a self-issued certificate, which can also be issued by a third-party CA
Create a server private key
openssl genrsa -out server-key.pem 4096
Copy the codeCreate the server signature request certificate file
Openssl req -subj "/CN=172.31.128.152" -sha256 -new-key server-key.pem -out server.csrCopy the codeNote: The IP address is the IP address of the server
Create a configuration file for extfile.cnf
Echo subjectAltName = IP: 172.31.128.152, IP: 0.0.0.0 > > extfile. CNF \ echo extendedKeyUsage = serverAuth > > extfile. CNFCopy the codeNote: The IP address is changed to the IP address of the server
Create a server certificate file whose signature takes effect
openssl x509 -req -days 3650 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \-CAcreateserial -out server-cert.pem -extfile extfile.cnf
Copy the codeCreate a client private key
openssl genrsa -out key.pem 4096
Copy the codeCreate client signature request certificate file
openssl req -subj '/CN=client' -new -key key.pem -out client.csr
Copy the codeAdded configuration to extfile. CNF file
echo extendedKeyUsage = clientAuth >> extfile.cnf
Copy the codeCreate a client certificate file whose signature takes effect
openssl x509 -req -days 3650 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \-CAcreateserial -out cert.pem -extfile extfile.cnfCopy the codeDeleting Unnecessary Files
rm -v client.csr server.csr
Copy the codeAuthorization for the certificate file
chmod -v 0400 ca-key.pem key.pem server-key.pem
chmod -v 0444 ca.pem server-cert.pem cert.pem
Copy the codeViewing the Validity Period of a Certificate
openssl x509 -in ca.pem -noout -dates
notBefore=Jun 5 03:23:23 2021 GMT
notAfter=Jun 3 03:23:23 2031 GMT
Copy the codeConfigure Docker to support TLS connections
Edit the docker.service configuration file
vim /lib/systemd/system/docker.service
Copy the codeFind the line beginning ExecStart= and replace it with the following
ExecStart=/usr/bin/dockerd -h fd:// -h TCP ://0.0.0.0:2375 --tlsverify --tlscacert=/etc/docker/cert/ca.pem --tlscert=/etc/docker/cert/server-cert.pem --tlskey=/etc/docker/cert/server-key.pem --containerd=/run/containerd/containerd.sockCopy the codeNote: The remote docker port is set to 2375 and can be changed as required
Refresh the configuration and restart the Docker
systemctl daemon-reload && systemctl restart docker
Copy the codeCheck the service status after the restart
systemctl status docker
Copy the codeCa.pem cert.pem key.pem These three are the certificate files required for client invocation
Refer to the link
Docker enable TLS security configuration: www.cnblogs.com/xiaoqi/p/do…