I’ve been following the guide at: https://docs.docker.com/engine/security/https/ to open up & protect my Docker daemon socket. My use case is to use the docker plugin for Jenkins in a CI environment and to get the docker host to spawn slaves.
I believe that I’ve installed some self signed certificates successfully and if I executed a CURL on this such as:
curl https://HOSTNAME:2376/version
I get a suitable message indicating that this is a self signed cert and that curl doesn’t like it:
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
I then go on to use the -k option for fun on curl and that’s where I have a concern and a question:
{"Version":"17.05.0-ce","ApiVersion":"1.29","MinAPIVersion":"1.12","GitCommit":"89658be","GoVersion":"go1.7.5","Os":"linux","Arch":"amd64","KernelVersion":"4.4.0-66-generic","BuildTime":"2017-05-04T22:10:54.638119411+00:00"}
I was not expecting this result. I then try:
# curl https://HOSTNAME:2376/version -k -v
* Trying [ipaddress removed]
* Connected to HOSTNAME ([ipaddress removed]) port 2376 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 692 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
* server certificate verification SKIPPED
* server certificate status verification SKIPPED
* common name: HOSTNAME (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: CN=HOSTNAME
* start date: Tue, 26 Sep 2017 14:42:51 GMT
* expire date: Wed, 26 Sep 2018 14:42:51 GMT
* issuer: C=AU,ST=Some-State,O=Internet Widgits Pty Ltd,CN=HOSTNAME
* compression: NULL
* ALPN, server accepted to use http/1.1
> GET /version HTTP/1.1
> Host: HOSTNAME:2376
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Api-Version: 1.29
< Content-Type: application/json
< Docker-Experimental: false
< Ostype: linux
< Server: Docker/17.05.0-ce (linux)
< Date: Tue, 26 Sep 2017 15:27:07 GMT
< Content-Length: 225
<
{"Version":"17.05.0-ce","ApiVersion":"1.29","MinAPIVersion":"1.12","GitCommit":"89658be","GoVersion":"go1.7.5","Os":"linux","Arch":"amd64","KernelVersion":"4.4.0-66-generic","BuildTime":"2017-05-04T22:10:54.638119411+00:00"}
* Connection #0 to host HOSTNAME left intact
Have I done something wrong or has curl requested the response over HTTP and Docker has complied?
Thanks in advance.