Reputation: 957
TLS failed in Docker
I have very limited knowledge about TLS certification. I wanted to enable https for docker daemon. I followed this tutorial but at the end failed to start docker daemon.
I am using docker in a Ubuntu 16.04 VM and my client and server is the same machine. So I use the $hostname as the 'Common Name' during all the process.
After following the whole process in docker documentation when I run
sudo dockerd --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem -H=0.0.0.0:2376
I get the INFO log that "API listen on [::]:2376"
When I use the below command:
docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=$HOST:2376 version
I get proper response.
But when I reload the daemon and try to start docker it says failed to start docker and give the following message-
Job for docker.service failed because the control process exited with error code.
See "systemctl status docker.service" and "journalctl -xe" for details.
Output of 'journalctl -xe' is:
I copied the necessary certificate to ~/.docker/ and the 'ExecStart' in my /lib/systemd/system/docker.service file is:
ExecStart=/usr/bin/dockerd -H fd:// -H 0.0.0.0:2376 \
--tlsverify --tlscacert=/home/sakib/.docker/ca.pem \
--tlskey=/home/sakib/.docker/key.pem \
--tlscert=/home/sakib/.docker/cert.pem
When I try to communicate with the API I get the following response:
$ curl -X GET https://0.0.0.0:2376/images/json
curl: (35) gnutls_handshake() failed: Certificate is bad
$ docker version
Client:
Version: 1.12.1
API version: 1.24
Go version: go1.6.3
Git commit: 23cf638
Built: Thu Aug 18 05:33:38 2016
OS/Arch: linux/amd64
An error occurred trying to connect: Get https://EL802:2376/v1.24/version: x509: certificate is valid for $HOST, not EL802
NOTE: EL802 is my hostname which I set as the 'HOST' environment variable.
I think the problem is with the 'CN' name that I chose while creating client certificate. I create the server and client certificate as below-
Server:
openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr
Client:
openssl req -subj '/CN=$HOST' -new -key key.pem -out client.csr
As my client and server is my host machine(EL802) which I set as the $HOST variable.
Upvotes: 1
Views: 2534
Answers (1)
Reputation: 1330072
Your picture does not show the full error line, but if the error message is:
pid file found, ensure docker is not running or delete /var/run/docker.pid
Try and delete the pid, and restart.
Also double-check your docker installation on Ubuntu, and its systemd configuration.
x509: certificate is valid for $HOST, not EL802
That means the certificate has been created with the string $HOST instead of its actual value.
openssl req -subj '/CN=$HOST'
The strong quoting of the single quotes would prevent the shell to replace $HOST with its value. Use double quotes.
Upvotes: 0
Related Questions
- Could not create SSL/TLD secure channel in Docker build
- SSL It does not work properly Docker nginx
- Error checking TLS connection: Error checking and/or regenerating the certs
- Docker remote error: tls: handshake failure
- Error checking TLS connection with Docksal
- TLS handshake error
- Docker: Error checking TLS connection: Error checking and/or regenerating the certs: There was an error validating certificates
- Docker TLS Error on Ubuntu
- Docker TLS error on Mac
- docker SSL connection error