Docker Community Forums

Share and learn in the Docker community.

Installing SSL cert in Docker Swarm

swarm
docker

(Jimmy Chu) #1

Hi, I am using docker stack to deploy one service in multiple digital ocean droplets (replica > 1), one container per droplet. This is my app backend service.

I want to have a SSL cert & private key installed (and hopefully automatically renewed) so I can use TLS connection, with SSL termination setting, so data transfer from swarm LB to containers is unencrypted using port 80. I also use docker-machine cmd to setup my digital ocean ubuntu v16.04 droplet.

What is the best way of doing this?

I tried the following, and two issues arised:

  1. I am first generating the cert and private key with let’s encrypt somewhere else on a server with nginx installed (messing with my DNS also). After the cert/key generation, I then copy and install them back with docker swarm ca --rotate. But feel this approach is wrong.

  2. With 1. set, I tried curl the backend service. The port 80 is fine, but port 443 seems to be talking http protocol, and I see the following:

$ curl -vvv https://myurl.com:443/v1/check
*   Trying my.ip.address...
* Connected to myurl.com (my.ip.address) port 443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 593 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* gnutls_handshake() failed: An unexpected TLS packet was received.
* Closing connection 0
curl: (35) gnutls_handshake() failed: An unexpected TLS packet was received.

$ curl -vvv http://myurl.com:443/v1/check
*   Trying my.ip.address...
* Connected to myurl.com (my.ip.address) port 443 (#0)
> GET /v1/check HTTP/1.1
> Host: myurl.com:443
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx/1.10.3 (Ubuntu)
< Date: Sun, 09 Sep 2018 11:06:39 GMT
< Content-Type: application/json; charset=utf-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Vary: Accept-Encoding, Origin
< ETag: W/"843adc298b0b2ef417eabf2f82670fc9"
< Cache-Control: max-age=0, private, must-revalidate
< X-Request-Id: b201d205-4c63-4318-b965-cebabc056b29
< X-Runtime: 0.078911
< X-Rack-Cache: pass
<
* Connection #0 to host myurl.com left intact
{"status":"ok","container_id":"8bd9981213e7"}

Thank you for shedding light on this subject!

I have also asked the question here: