How to secure docker client connection by default?

Question

I'm using https to protect the docker daemon socket. Followed all the steps as mentioned here. The environment variables are set as below,

• DOCKER_TLS_VERIFY=1
• DOCKER_CERT_PATH=~/.docker == All my client, ca & server certificates + keys exist here
• DOCKER_HOST=tcp://$HOST:2376

The below command works (when I pass ca, client certificate & key):

docker --tlsverify --tlscacert=~/.docker/ca.pem --tlscert=~/.docker/client-cert.pem --tlskey=~/.docker/client-key.pem -H=$HOST:2376 ps

According to Docker documentation , I can secure docker client connections by default and do not need to pass certificates every time but the command "docker ps" , doesn't work for me. It always expects client certificate to be passed.

I also tried executing the below,

docker-compose --tlsverify --tlscacert=~/.docker/ca.pem --tlscert=~/.docker/client-cert.pem --tlskey=~/.docker/client-key.pem -H=$HOST:2376  up

ERROR: TLS configuration is invalid - make sure your DOCKER_TLS_VERIFY and DOCKER_CERT_PATH are set correctly

How can I secure the docker client connections by default ? I just want to execute like "docker ps" without passing client certificate every time since it already exists in ~/.docker

I have also referred a similar question here

Answer 1

I found the answer myself ! The client certificate and key generated are having the names as cert.pem and key.pem when I followed the official documentation instructions. I renamed the cert.pem to client-cert.pem and key to client-key.pem in my ~/.docker directory.

Apparently, docker picks the client certificate by default, only if it has name as cert.pem and key.pem. So, my issue here is because of changing the client certificate / key names.