Docker Community Forums

Share and learn in the Docker community.

I can't install OpenSSL certificate

docker

(Marcelse) #1

Hi community,

I’ve tried to install an OpenSSL’s certificate. I’m using as reference https://docs.docker.com/engine/security/https/#/protect-the-docker-daemon-socket.

This how-to generate a log:

[root@pmo ~]# openssl genrsa -aes256 -out ca-key.pem 4096
Generating RSA private key, 4096 bit long modulus
… …++
… … … …++
e is 65537 (0x10001)
Enter pass phrase for ca-key.pem:
140520554317728:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:8 69:You must type in 4 to 8191 characters
Enter pass phrase for ca-key.pem:
140520554317728:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:8 69:You must type in 4 to 8191 characters
Enter pass phrase for ca-key.pem:
Verifying - Enter pass phrase for ca-key.pem:

[root@pmo ~]# openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.p em
Enter pass phrase for ca-key.pem:
unable to load Private Key
140007682615200:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:604:
140007682615200:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c: 483:
[root@pmo ~]# openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.p em
Enter pass phrase for ca-key.pem:
unable to load Private Key
140540495300512:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:604:
140540495300512:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c: 483:
[root@pmo ~]# openssl genrsa -aes256 -out ca-key.pem 4096 Generating RSA private key, 4096 bit long modulus
…++
…++
e is 65537 (0x10001)
Enter pass phrase for ca-key.pem:
Verifying - Enter pass phrase for ca-key.pem:
[root@pmo ~]# openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.p em
Enter pass phrase for ca-key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.

Country Name (2 letter code) [XX]:BR
State or Province Name (full name) []:SERGIPE
Locality Name (eg, city) [Default City]:ARACAJU
Organization Name (eg, company) [Default Company Ltd]:MY COMPANY’S NAME
Organizational Unit Name (eg, section) []:TI
Common Name (eg, your name or your server’s hostname) []:PMO.MYDOMAIN
Email Address []:PMO@MYDOMAIN
[root@pmo ~]# openssl genrsa -out server-key.pem 4096
Generating RSA private key, 4096 bit long modulus
… …++
… …++
e is 65537 (0x10001)
[root@pmo ~]# openssl req -subj “/CN=PMO.MYDOMAIN” -sha256 -new -ke y server-key.pem -out server.csr

[root@pmo ~]# echo subjectAltName = IP:172.16.0.87,IP:127.0.0.1 > extfile.cnf // My server´s IP Address
[root@pmo ~]# openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAk ey ca-key.pem \

-CAcreateserial -out server-cert.pem -extfile extfile.cnf
Signature ok
subject=/CN=PMO.MYDOMAIN
Getting CA Private Key
Enter pass phrase for ca-key.pem:
unable to load CA Private Key
140149989296032:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:604:
140149989296032:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c: 483:
[root@pmo ~]# openssl genrsa -out key.pem 4096
Generating RSA private key, 4096 bit long modulus
… …++
…++
e is 65537 (0x10001)
[root@pmo ~]# openssl req -subj ‘/CN=client’ -new -key key.pem -out client.csr
[root@pmo ~]# echo extendedKeyUsage = clientAuth > extfile.cnf
[root@pmo ~]# openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAk ey ca-key.pem
-CAcreateserial -out cert.pem -extfile extfile.cnf
Signature ok
subject=/CN=client
Getting CA Private Key
Enter pass phrase for ca-key.pem:
unable to load CA Private Key
140501974198176:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:604:
140501974198176:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c: 483:
[root@pmo ~]# rm -v client.csr server.csr
rm: remover arquivo comum “client.csr”? y
removido “client.csr”
rm: remover arquivo comum “server.csr”? y
removido “server.csr”
[root@pmo ~]# chmod -v 0400 ca-key.pem key.pem server-key.pem
modo de “ca-key.pem” alterado de 0644 (rw-r–r--) para 0400 (r--------)
modo de “key.pem” alterado de 0644 (rw-r–r--) para 0400 (r--------)
modo de “server-key.pem” alterado de 0644 (rw-r–r--) para 0400 (r--------)
[root@pmo ~]# docker daemon --tlsverify --tlscacert=ca.pem --tlscert=server-cert .pem --tlskey=server-key.pem
-H=0.0.0.0:2376
FATA[0000] Error starting daemon: pid file found, ensure docker is not running o r delete /var/run/docker.pid

[root@pmo ~]# docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey= key.pem -H=pmo.mydomain:2376 version
Could not load X509 key pair: crypto/tls: failed to parse certificate PEM data. Make sure the key is not encrypted

What’s wrong?

Best regards,

Marcel Almeida.