I am having a website running on container port 80 and 443. I am using ready docker image from docker hub.
I have enabled SSL on Kubernetes using ingress.
I can not generate a certificate inside the pod. If I create cert inside the pod manually then at the time of service Apache restart then the container will restart and the whole pod will be created again. The WHOLE setup will change as default in docker image.
So how to install SSL on this website. Currently, it is giving an error of self-signed certificate.
It is like you are describing, you are using a self-signed certificate.
If you want to remove the warning or error you will have to get a certificate from a well known CA like Comodo or Symantec. If not you will have to trust the CA that you used to create your self-signed certificate. This is an example on how to do it on Ubuntu.
Hope it helps!
Related
I run a web server as a haphroxy. Certificate issued using let's encrypt
Subsequently, when you run the docker container by applying the certificate to the pem file, the certificate is applied normally.
A certificate version error occurs in the browser when distributing from Docker Swarm to stack in the same way.
tls1.2 is specified as the minimum version in the haphroxy setting. Is the certificate applied to deploy as docker swarm or stack different?
I am running a secure private docker registry on a machine (server) within my local network. My kubernetes and helm clients are running on another machine (host).
I am using a Certification Authority (CA) in the server machine in order to verify https pull requests from the host. That is why I am copying the registry's Certificate Authority (CA) to the host as mentioned here:
Instruct every Docker daemon to trust that certificate. For Linux:
Copy the domain.crt file to
/etc/docker/certs.d/myregistrydomain.com:5000/ca.crt on every Docker
host. You do not need to restart Docker
Even though this solution works as a charm, but only for few nodes.
From kubernetes or HELM perspective, is there a way to generate a secret or stating username/password inside the charts. Sot that, when 1000 hosts exist, there will be no need to copy the CA to every and each single host?
Server and hosts run Centos7
I have a running docker droplet on DigitalOcean but this droplet running on http and I want to run it on https.
I don't want to purchase any domain name. Actually I don't need a domain name, ip address is enough.
Certbot and Letsencrypt are not allowing creating SSL certificate on bare IP address.
Is there any solution for this problem?
How can I do that?
Thank you for your collaborations.
Use openssl for generating the certificates and make the docker daemon trust those certificates.
I have a website that I'm running on a digital ocean droplet, which I want to continuously deploy via docker and a Teamcity build server which I have running on my home server. I want to enable https on my docker repo, with a self signed certificate, and without a domain name.
Let's say my home's ip address is 10.10.10.10 and the docker repo is running on port 5000.
I followed the steps here, however docker on my website complained that it cannot connect to the docker repo on my homeserver because it doesn't specify an IP in the SAN extension.
Okay. So I created a new certificate without the CN field and only an IP in the SAN, and now my cert config on my website looks like...
/etc/docker/certs.d/10.10.10.10:5000/ca.crt
I also added the cert to my general certs (Ubuntu 16.04 btw)
Then I try to pull the image from my home server to my website...
docker pull 10.10.10.10:5000/personal_site:latest
However, I'm getting this error.
Error response from daemon: Get https://10.10.10.10:5000/v1/_ping: x509:
certificate signed by unknown authority (possibly because of "x509:
invalid signature: parent certificate cannot sign this kind of
certificate" while trying to verify candidate authority certificate "serial:xxx")
I thought by adding my cert to the /etc/docker/... it would accept a self-signed cert. Anyone have any advice here?
You can't used a self signed certificate for this, it needs to be a CA certificate. Follow the same steps required to create a certificate for a docker host and store your CA in /etc/docker/certs.d/.... Or you can also define 10.10.10.10 as an insecure registry as part of the docker daemon startup (dockerd --insecure-registry 10.10.10.10:5000 ...) and docker should ignore any certificate issues.
I just did the same thing with this instructions create private repo with password without domain and ssl. That will require you to add certificate on client and domain on host file (if you love to have an domain yourself without registering new domain)
I have install docker on a windows 7 machine, if I connect to Internet outside my company network everything works fine, but when I connect to Internet from my company network, and try to pull a image from dockerhub, I just get the "docker: Network timed out while trying to connect to .... You may want to check your internet connection or if you are behind a proxy..".
I have edited the /var/lib/boot2docker/profile file by adding following two lines
export "HTTP_PROXY=http://me:mypassword#proxyhost:proxyport"
export "HTTPS_PROXY=http://me:mypassword#proxyhost:proxyport"
rebooted the docker machine and try to pull an image and get the following error;
Error while pulling image: Get https://index.docker.io/v1/repositories/library/ubuntu/images: x509: certificate signed by unknown authority
edit: CA certification details
The problem is your corporate proxy is using it's own SSL certificate which Docker doesn't trust. What you're going to have to do is to download a copy of the CA certificate and trust it on any machines you want to use behind the firewall. Check this answer for how to trust a certificate:
Docker behind proxy that changes ssl certificate