terraform-certificate-automation/ansible/roles/vault/templates/docker-tls-and-misc-config.md

The default values are unset and the docker cli defaults to using /var/run/docker.sock and/or systemd. However, from your comment to ldg, you have an app that requires these to be set, which would indicate that it wants you to configure TLS on your host for remote access. Here are the steps to configure the TLS keys:
Setup CA

# work in a secure folder
mkdir docker-ca && chmod 700 docker-ca && cd docker-ca
# generate a key pair for the CA
openssl genrsa -aes256 -out ca-key.pem 2048
# setup CA certificate
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
  # make sure to set CN

Server certificate

# generate a new host key pair
openssl genrsa -out myserver-key.pem 2048
# generate certificate signing request (CSR)
openssl req -subj "/CN=myserver" -new -key myserver-key.pem -out myserver.csr
# setup extfile for ip's to allow
echo "subjectAltName = IP:$myserver_ip, IP:127.0.0.1" >extfile.cnf
# sign the key by the CA
openssl x509 -req -days 365 -in myserver.csr -CA ca.pem -CAkey ca-key.pem \
  -CAcreateserial -out myserver-cert.pem -extfile extfile.cnf
# test server by updating service:
/usr/bin/docker daemon -H fd:// -H tcp://0.0.0.0:2376 --tlsverify \
  --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/myserver-cert.pem \
  --tlskey=/etc/docker/myserver-key.pem

You'll need to update your OS startup script for Docker to have the above in it (-H unix:/var/run/docker.sock would be used in place of -H fd:// if you don't have systemd).
Client certificate

In ".docker" you can add: "ca.pem, key.pem, cert.pem" and then export DOCKER_TLS_VERIFY=1

# create a client key pair
openssl genrsa -out client-key.pem 2048
# generate csr for client key
openssl req -subj '/CN=client' -new -key client-key.pem -out client.csr
# configure request to support client
echo extendedKeyUsage = clientAuth >extfile.cnf
# sign the client key with the CA
openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem \
  -CAcreateserial -out client-cert.pem -extfile extfile.cnf
# test client with
docker --tlsverify \
  --tlscacert=ca.pem --tlscert=client-cert.pem --tlskey=client-key.pem \
  -H=tcp://127.0.0.1:2376 info`

Then DOCKER_CERT_PATH would be the folder with your certificates, e.g. /home/user/.docker.
Share
Improve this answer
Follow
answered Jul 22, 2016 at 20:59
BMitch's user avatar
BMitch
243k4444 gold badges504504 silver badges468468 bronze badges

    I've set DOCKER_CERT_PATH to the directory where all the certificates exist . Have also set DOCKER_HOST, DOCKER_TLS_VERIFY values but still when I execute docker commands , the certificate is expected. Anything else I should verify ? I've also tried restarting docker-daemon and docker – 
    explorer
    Mar 30, 2021 at 19:18 

Add a comment
6

Use
export DOCKER_TLS_VERIFY="1"
export DOCKER_HOST="tcp://0.0.0.0:2376"
export DOCKER_CERT_PATH="/etc/docker/server.pem"

You can find out the values on your system using

ps aux | grep "docker daemon"

For instance, in my case I get
root     25161  0.0  1.8 545784 38496 ?        Ssl  07:11   0:00 /usr/bin/docker daemon -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock --storage-driver aufs --tlsverify --tlscacert /etc/docker/ca.pem --tlscert /etc/docker/server.pem --tlskey /etc/docker/server-key.pem --label provider=amazonec2

You may however have to use sudo to run docker


sudo docker ps