4

Our certificate for the TCP docker sock located at port 9001 has expired.

The documentation here explains how to protect the docker daemon socket by creating a CA certificate: https://docs.docker.com/engine/security/https/

However, the documentation does not explain how to replace an expired cert. I have newly created certs hostname.crt, hostname.csr, and hostname.jks available. How do I detach the expired cert from the docker socket, and attach a new cert? I would like to set it up to only use a TLS 1_2 connection.

I have tried going through the above steps to create ca.pem, cert.pem, and key.pem files using my hostname.csr file, but I am running into this error:

$ dockerd --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem -H=0.0.0.0:2377                                                                                                                        
listen tcp 0.0.0.0:2377: bind: address already in use

$ docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=cstmditlvlnx54.dev.local:2377 version
Client:
Version:      17.09.0-ce
API version:  1.32
Go version:   go1.8.3
Git commit:   afdb6d4
Built:        Tue Sep 26 22:41:23 2017
OS/Arch:      linux/amd64
error during connect: Get https://<hostname>:2377/v1.32/version: x509: certificate is valid for swarm-manager, dbacsvpspwkeimy9cr8fe2uqd, swarm-ca, not <hostname>

$ sudo docker info
Containers: 48
Running: 0
Paused: 0
Stopped: 48
Images: 33
Server Version: 17.09.0-ce
Storage Driver: overlay
Backing Filesystem: xfs
Supports d_type: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: active
NodeID: dbacsvpspwkeimy9cr8fe2uqd
Is Manager: true
ClusterID: p8pp1gurblaoendeanjc04lv6
Managers: 1
Nodes: 3
Orchestration:
  Task History Retention Limit: 5
Raft:
  Snapshot Interval: 10000
  Number of Old Snapshots to Retain: 0
  Heartbeat Tick: 1
  Election Tick: 3
Dispatcher:
  Heartbeat Period: 5 seconds
CA Configuration:
  Expiry Duration: 4 weeks
  Force Rotate: 3
Autolock Managers: false
Root Rotation In Progress: false
Node Address: ######
Manager Addresses:
  #######:2377
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 06b9cb35161009dcb7123345749fef02f7cea8e0
runc version: 3f2f8b84a77f73d38244dd690525642a72156c64
init version: 949e6fa
Security Options:
seccomp
  Profile: default
Kernel Version: 3.10.0-1127.8.2.el7.x86_64
Operating System: Red Hat Enterprise Linux Server 7.8 (Maipo)
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 7.777GiB
Name: <hostname>
ID: RCPU:PSF5:DJ7D:JECW:X7CF:GWP6:52QE:K7LR:OASA:7LQX:SPX6:QIFX
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
<url>:9091
<url>:9092
cstmdevlvrpo51:9091
127.0.0.0/8
Live Restore Enabled: false
Dylan Kapoor
  • 113
  • 1
  • 7
  • 1
    2377 is the swarm port, do not touch that one, it's internally managed by docker. The documention describes how to setup docker to listen on 2376. Did you do that already? Include your existing configuration in the question. – BMitch Oct 06 '20 at 14:47
  • 1
    That existing configuration should include where you configured docker to listen on 9001, is it the engine or some container. And do not connect the docker client to the swarm API port, that is not the docker API port. – BMitch Oct 06 '20 at 14:50

0 Answers0