Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

docker --tls vs --tlsverify

Tags:

docker

ssl

The docker cli tool provides two options for tls auth: --tls and --tlsverify.

What's the difference between these two options?

I've set up my remote docker daemon to use some TLS certs I've made using openssl. I'm able to connect to the daemon using the --tls flag but not using the --tlsverify

like image 625
bhurlow Avatar asked Mar 23 '16 19:03

bhurlow

People also ask

What is Docker TLS?

Docker supports using TLS certificates (both on the server and the client) to provide proof of identity. When set up correctly it will only allow clients/servers with a certificate signed by a specific CA to talk to eachother.

How do I disable Docker TLS?

The proxy automatically detects the Docker daemon's TLS configuration, and attempts to duplicate it. To disable auto-detection of TLS configuration, you can either pass the --no-detect-tls flag, or you can manually configure the proxy's TLS using the same TLS-related command-line flags supplied to the Docker daemon.

What is the difference between Docker and Dockerd?

Docker is a broad set of technologies that are used to work with containers. containerd is an example of a container runtime. A container runtime is that process that does the actual work of creating, running, and destroying containers.

1 Answers

If you "made" the certificates yourself (i.e., self-signed), it's unlikely that the certificates can be verified. Using the --tls option simply instructs Docker to use the certificates as-is without verifying the certificate with root authorities. --tlsverify requires that the certificate can be verified with a root authority before it is used.

See https://docs.docker.com/engine/security/https/ for more details, specifically (emphasis mine):

If you need Docker to be reachable via the network in a safe manner, you can enable TLS by specifying the tlsverify flag and pointing Docker’s tlscacert flag to a trusted CA certificate.

In the daemon mode, it will only allow connections from clients authenticated by a certificate signed by that CA. In the client mode, it will only connect to servers with a certificate signed by that CA.

In other words, the behavior you're experiencing is less of a Docker problem and more of a certificate problem.

like image 182
Aaron Burke Avatar answered Oct 05 '22 03:10

Aaron Burke
Sign in to Comment

Related questions

Qt "Creating SSL context" error in few computers
SSL Client on Android
Java SSL Exception - "Prime size must be a multiple of 64..." [duplicate]
How to use openSSL with memory BIOs and non blocking sockets
Java NIO and SSL
Node.js client certificate authentication on some paths only
Client Certificate Mapping Authentication in self-hosted Owin endpoint
Simple RMI Server with SSL
Nginx ssl_verify_client and proxy_pass [closed]
Trusting self signed certificate with Python requests
Server-side support for TLS-PSK [closed]
Websocket SSL handshake failure
nginx - Disable http to https redirect?
Boost ASIO, SSL: How do strands help the implementation?
How to automatically accept SSL certs in chrome?
Heroku: Spring Boot Gradle app with https tomcat server and certificate pinning
AWS CloudFront to host SSL and forward on to sendgrid not working
How to manage SSL key for self host HTTPS
Unable to verify the first certificate
Retrieve public server certificate key during handshake

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!