Currently docker has its own ca certificate.
Is there a way to let swarm know to use a custom certificate rather than using ca cert generated by docker init step
Below is what we tried:
Tried to detach and re-attach
Below is the blog url tried
Below is the error message
server name]# docker swarm ca --rotate --ca-cert custom.crt --ca-key custom.key
Error response from daemon: rpc error: code = Internal desc = unable to generate a cross-signed certificate for root rotation
Thank you for your response. Yes that is correct. Security team has deemed this as a security vulnerability and want to replace with actual certified certificates.
Could you elaborate on how the attack vector would look like and how a self created CA would mitigate that potential problem? You should definitly challenge your Security Team in this regards!!
A self signed cert with the hostname doesn’t match the CN = swarm or swarm manager. CN is not the hostname so the scanner is reporting that we are using an “invalid cert”.
Valid point for https traffic exposed to the internet.
Though, the port for swarm managment traffic is purely technical and by no means to be exposed to the internet. I consider this problem to be pureley cosmetic.
I have seen plenty of Docker Entprise installations and didn’t encouter anyone so far that felt the need to act on what your security team asks you to do.
Are you using the buildin Docker Swarm mode? Or are you using the old standalone Docker Swarm? The content addresses the second and will not work for the first.
Thanks for your response!
In our Current setup we installed Docker on multiple VMs and then ran docker swarm init to switch to Swarm Mode and docker swarm join to add more nodes to the cluster.
This is a docker document which mentions use of rotate to push Server certificate with cn names which could be run when initializing docke https://docs.docker.com/engine/swarm/how-swarm-mode-works/pki/
Question: is this documentation applicable to our current set up. If not Can you please help us with a docker official document which mentions this is not applicable and we need to use the default ca.
Right now I am trying to get location of where certificates are place on Linux servers. We can replace certificate created using rotate with 3rd part certificates.Any response would be appreciated.I have tried locations from docker documentation but could not find the same.