This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revision | |||
| docker-command [2026/04/08 17:48] – admin | docker-command [2026/04/08 22:10] (current) – admin | ||
|---|---|---|---|
| Line 14: | Line 14: | ||
| docker image save fueltracker_app > | docker image save fueltracker_app > | ||
| </ | </ | ||
| - | |||
| - | ===== SSL/TLS connection ===== | ||
| - | |||
| - | ==== Generate a CA, server, and client certificate/ | ||
| - | |||
| - | 1. Create a working directory | ||
| - | |||
| - | mkdir -p ~/ | ||
| - | |||
| - | 2. Generate the CA private key | ||
| - | |||
| - | openssl genrsa -aes256 -out ca-key.pem 4096 | ||
| - | |||
| - | 3. Generate the CA certificate | ||
| - | |||
| - | openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem | ||
| - | |||
| - | You'll be prompted for a passphrase and subject info (Country, CN, etc.). | ||
| - | |||
| - | 4. Generate the server private key | ||
| - | |||
| - | openssl genrsa -out server-key.pem 4096 | ||
| - | |||
| - | 5. Generate the server CSR (Certificate Signing Request) | ||
| - | |||
| - | openssl req -subj "/ | ||
| - | |||
| - | Replace < | ||
| - | |||
| - | 6. Create a SANs (Subject Alternative Names) extension file | ||
| - | |||
| - | echo subjectAltName = DNS:< | ||
| - | echo extendedKeyUsage = serverAuth >> extfile.cnf | ||
| - | |||
| - | Add all hostnames/ | ||
| - | |||
| - | 7. Sign the server certificate with the CA | ||
| - | |||
| - | openssl x509 -req -days 365 -sha256 \ | ||
| - | -in server.csr -CA ca.pem -CAkey ca-key.pem \ | ||
| - | -CAcreateserial -out server-cert.pem -extfile extfile.cnf | ||
| - | |||
| - | 8. Generate the client private key | ||
| - | |||
| - | openssl genrsa -out key.pem 4096 | ||
| - | |||
| - | 9. Generate the client CSR | ||
| - | |||
| - | openssl req -subj '/ | ||
| - | |||
| - | 10. Create a client extension file | ||
| - | |||
| - | echo extendedKeyUsage = clientAuth > extfile-client.cnf | ||
| - | |||
| - | 11. Sign the client certificate with the CA | ||
| - | |||
| - | openssl x509 -req -days 365 -sha256 \ | ||
| - | -in client.csr -CA ca.pem -CAkey ca-key.pem \ | ||
| - | -CAcreateserial -out cert.pem -extfile extfile-client.cnf | ||
| - | |||
| - | 12. Clean up CSRs and extension files, lock down permissions | ||
| - | |||
| - | rm -f client.csr server.csr extfile.cnf extfile-client.cnf | ||
| - | chmod 0400 ca-key.pem key.pem server-key.pem | ||
| - | chmod 0444 ca.pem server-cert.pem cert.pem | ||
| - | |||
| - | After this you'll have: | ||
| - | |||
| - | ┌──────────────────────────────────┬───────────────────────────────────────────────────┐ | ||
| - | │ | ||
| - | ├──────────────────────────────────┼───────────────────────────────────────────────────┤ | ||
| - | │ ca.pem | ||
| - | ├──────────────────────────────────┼───────────────────────────────────────────────────┤ | ||
| - | │ server-cert.pem / server-key.pem │ Server certificate and key │ | ||
| - | ├──────────────────────────────────┼───────────────────────────────────────────────────┤ | ||
| - | │ cert.pem / key.pem | ||
| - | └──────────────────────────────────┴───────────────────────────────────────────────────┘ | ||
| - | |||
| - | ==== Configure / | ||
| - | |||
| - | 1. Copy server certs to a permanent location | ||
| - | |||
| - | sudo mkdir -p / | ||
| - | sudo cp ~/ | ||
| - | sudo cp ~/ | ||
| - | sudo cp ~/ | ||
| - | sudo chmod 0444 / | ||
| - | sudo chmod 0400 / | ||
| - | |||
| - | 2. Create or edit / | ||
| - | |||
| - | sudo tee / | ||
| - | { | ||
| - | " | ||
| - | " | ||
| - | " | ||
| - | " | ||
| - | " | ||
| - | " | ||
| - | } | ||
| - | EOF | ||
| - | |||
| - | - " | ||
| - | - " | ||
| - | - Port 2376 is the standard TLS Docker port (2375 is unencrypted) | ||
| - | |||
| - | 3. Handle the hosts conflict with systemd (WSL/Linux) | ||
| - | |||
| - | If Docker is managed by systemd, the -H flag in the service file conflicts with hosts in daemon.json. Override it: | ||
| - | |||
| - | sudo mkdir -p / | ||
| - | sudo tee / | ||
| - | [Service] | ||
| - | ExecStart= | ||
| - | ExecStart=/ | ||
| - | EOF | ||
| - | |||
| - | Enable systemd in WSL2 (recommended). | ||
| - | |||
| - | Edit / | ||
| - | |||
| - | sudo tee / | ||
| - | [boot] | ||
| - | systemd=true | ||
| - | EOF | ||
| - | |||
| - | 4. Reload and restart Docker | ||
| - | |||
| - | sudo systemctl daemon-reload | ||
| - | sudo systemctl restart docker | ||
| - | |||
| - | 5. Verify Docker is listening on port 2376 | ||
| - | |||
| - | sudo ss -tlnp | grep 2376 | ||
| - | |||
| - | You should see dockerd bound to 0.0.0.0: | ||
| ===== References ===== | ===== References ===== | ||