Portainer - how to specify SSL in docker-compose.yml?

Question

I'm trying to deploy an instance of Portainer to a docker swarm. I'm not sure how to set the correct flag to enable SSL.

From the docs:

$ docker run -d -p 443:9000 --name portainer --restart always -v ~/local-certs:/certs -v portainer_data:/data portainer/portainer --ssl --sslcert /certs/portainer.crt --sslkey /certs/portainer.key

https://portainer.readthedocs.io/en/stable/deployment.html

But how do you translate that into a docker compose yml file?

Answer 1

Possibly I'm a bit late to the party, but it looks what you have to use Portainer's flags to enable ssl for your Portainer (as said in documentation) and composerize.com lost that part somewhere, so you should add this to your compose:

command:
  --sslcert /certs/portainer.crt
  --sslkey /certs/portainer.key

or for full compose file:

version: 3
services:
    portainer:
        image: portainer/portainer
        container_name: portainer
        restart: always
        ports:
            - '443:9443' # CONTAINER PORT MUST BE 9443 and not 9000 when using SSL
        volumes:
            - '~/local-certs:/certs'
            - 'portainer_data:/data'
        command:
            --sslcert /certs/portainer.crt
            --sslkey /certs/portainer.key

Answer 2

The following works for me:

version: '3'
services:
  portainer:
    image: portainer/portainer-ce
    volumes:
    - "/local-certs:/certs"
    - "portainer_data:/data"
    restart: always
    ports:
    - "9000:9000"
    container_name: portainer
    command:
    - --ssl
    - --sslcert
    - /certs/wildcard.crt
    - --sslkey 
    - /certs/wildcard.key

Answer 3

According to Portainer documentation:

By default, Portainer’s web interface and API is exposed over HTTP. This is not secured, it’s recommended to enable SSL in a production environment.

To do so, you can use the following flags --ssl, --sslcert and --sslkey:

$ docker run -d -p 443:9000 --name portainer --restart always -v ~/local-certs:/certs -v portainer_data:/data portainer/portainer --ssl --sslcert /certs/portainer.crt --sslkey /certs/portainer.key

You can use the following commands to generate the required files:

$ openssl genrsa -out portainer.key 2048 $ openssl ecparam -genkey -name secp384r1 -out portainer.key $ openssl req -new -x509 -sha256 -key portainer.key -out portainer.crt -days 3650

Note that Certbot could be used as well to generate a certificate and a key.

As Rubin suggests, you can use https://composerize.com/ to generate a docker-compose.yml from docker command.

So, your docker-compose file should be something like this:

version: '3'
services:
    portainer:
        image: portainer/portainer
        container_name: portainer
        restart: always
        ports:
            - '443:9000'
        volumes:
            - '~/local-certs:/certs'
            - 'portainer_data:/data'
        command:
            --ssl
            --sslcert /certs/portainer.crt
            --sslkey /certs/portainer.key
volumes:
    portainer_data:

Answer 4

https://composerize.com/ can help to translate your docker command into a docker-compose.yml