How to set TLS Certificates for a machine in docker-machine

Question

What I want to do:

I have dockerd running on one machine with TLS verify set to true. I would like to add this host as a machine in docker-machine

What I have done:

I used the following command to start dockerd:

$ sudo dockerd -D --tls=true --tlscert=cert.pem --tlskey=key.pem -H tcp://172.19.48.247:2376

On a second machine I sourced the following variables:

export DOCKER_HOST=tcp://172.19.48.247:2376                                                                                 
export DOCKER_TLS_VERIFY=1
export DOCKER_CERT_PATH=/path/to/ssl

and ran docker command succesfully:

$ docker run busybox echo hello
hello

Then I added this host docker-machine:

docker-machine create --driver none --url=tcp://172.19.48.247:2376 dockerhost

Where I am going wrong:

I am getting a x509: certificate signed by unknown authority error now.

$ docker-machine ls
NAME        ACTIVE   DRIVER       STATE     URL                        SWARM   DOCKER    ERRORS                                     Unknown   
dockerhost   -        none         Running   tcp://172.19.48.247:2376           Unknown   Unable to query docker version: Get https://172.19.48.247:2376/v1.15/version: x509: certificate signed by unknown authority

I tried using the docker-machine config but that doesnt work:

$ docker-machine config dockerhost --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H tcp://172.19.48.247:2376
Incorrect Usage.

Usage: docker-machine config [OPTIONS] [arg...]

Print the connection config for machine

Description:
   Argument is a machine name.

Options:

   --swarm  Display the Swarm config instead of the Docker daemon
flag provided but not defined: -tlsverify

Try moving dockerhost to the end of the command and not the start — Tarun Lalwani, Sep 21 '17 at 10:54

score 6 · Accepted Answer · answered Sep 21 '17 at 20:51

By default, the none driver will be configured to use the TLS certs found at ~/.docker/machine. This isn't necessarily what is needed, because you'll run into the error you've run into if your remote Docker host has a certificate signed by something other than the ca.pem that you've got at that location.

I've found a reference to a workaround here that I tested and it definitely seems to work. Here are the steps I followed:

docker-machine create -d none --url tcp://remotedocker.example.com:2376 remotedocker

This creates the following directory:

~/.docker/machine/machines/remotedocker

Inside that directory is a file called config.json. Edit that file, and change every instance of ".docker/machine/certs" to ".docker/machine/machines/remotedocker"

Normally, when you access Docker remotely, it only needs to have access to the ca.pem, cert.pem and key.pem files. As far as I can tell, the other files referenced in config.json will likely not get used by the none driver because regenerate-certs is not implemented by none.

You will need to copy in the ca.pem and key.pem files

At this point, you should be able to run docker-machine config remotedocker, or eval "$(docker-machine env remotedocker)" and use your remote daemon successfully.

How to set TLS Certificates for a machine in docker-machine

1 Answers1

Linked