Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is the best way to manage cert/key for Docker containers that must talk TLS

Tags:

docker

ssl

I am moving my applications to Docker, and I'm not sure how to handle managing the cert/key. In a single host, I have two Docker containers that must listen/communicate over TLS to a number of client machines. Before docker, I had a single server key and self signed cert, and my clients were using the self signed cert to communicate with the server applications.

But now that they are separated docker containers, what is the right methodology? Do I push the certs/key to directories in the container? If so, then my dockerfile would need to COPY the cert/key, and I don't want the key to be part of the checked in image. (security)

Or, do I use a VOLUME and hold the key/cert on the host machine? I tried that, but the container root user could not see the private key, which was read only fir the host root user.

What is really the right way to do this? Thanks

like image 835
cybergoof Avatar asked Oct 12 '14 04:10

cybergoof


2 Answers

I know this is an old question but I came up with a somewhat similar but more generic approach. My solution is to create a data-only container which mounts the certificates and their keys as /etc/ssl/certs/host/ and /etc/ssl/private/host/. Name it for example certificates. In upcoming containers you can use these certificates easily by using --volumes-from certificates.

like image 54
domachine Avatar answered Sep 19 '22 15:09

domachine


Took me some time, but I figured out how to do it.

One the RUN command line, you can mount a host directory as a data volume. This doesn't work by using the VOLUME in dockerfiles. You use the switch -v hostdir:datavolume

http://docs.docker.com/userguide/dockervolumes/

I used this to connect the containers data volume to the host directory that stored the keys and certs.

Thanks

like image 38
cybergoof Avatar answered Sep 22 '22 15:09

cybergoof