Docker Community Forums

Share and learn in the Docker community.

Replace Expired Cert for Docker Daemon Socket

Security scans have shown that the certificate for the TCP docker sock located at port 9001 has expired.

The documentation here explains how to protect the docker daemon socket by creating a CA certificate:

However, the documentation does not explain how to replace an expired cert. I have newly created certs hostname.crt, hostname.csr, and hostname.jks available. How do I detach the expired cert from the docker socket, and attach a new cert? I would like to set it up to only use a TLS 1_2 connection.

I have tried going through the above steps to create ca.pem, cert.pem, and key.pem files using my hostname.csr file, but I am running into this error:

$ dockerd --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem -H=0.0.0.0:2377                                                                                                                        
listen tcp 0.0.0.0:2377: bind: address already in use
$ docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=cstmditlvlnx54.dev.local:2377 version
Client:
 Version:      17.09.0-ce
 API version:  1.32
 Go version:   go1.8.3
 Git commit:   afdb6d4
 Built:        Tue Sep 26 22:41:23 2017
 OS/Arch:      linux/amd64
error during connect: Get https://<hostname>:2377/v1.32/version: x509: certificate is valid for swarm-manager, dbacsvpspwkeimy9cr8fe2uqd, swarm-ca, not <hostname>
$ sudo docker info
Containers: 48
 Running: 0
 Paused: 0
 Stopped: 48
Images: 33
Server Version: 17.09.0-ce
Storage Driver: overlay
 Backing Filesystem: xfs
 Supports d_type: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: active
 NodeID: dbacsvpspwkeimy9cr8fe2uqd
 Is Manager: true
 ClusterID: p8pp1gurblaoendeanjc04lv6
 Managers: 1
 Nodes: 3
 Orchestration:
  Task History Retention Limit: 5
 Raft:
  Snapshot Interval: 10000
  Number of Old Snapshots to Retain: 0
  Heartbeat Tick: 1
  Election Tick: 3
 Dispatcher:
  Heartbeat Period: 5 seconds
 CA Configuration:
  Expiry Duration: 4 weeks
  Force Rotate: 3
 Autolock Managers: false
 Root Rotation In Progress: false
 Node Address: ######
 Manager Addresses:
  #######:2377
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 06b9cb35161009dcb7123345749fef02f7cea8e0
runc version: 3f2f8b84a77f73d38244dd690525642a72156c64
init version: 949e6fa
Security Options:
 seccomp
  Profile: default
Kernel Version: 3.10.0-1127.8.2.el7.x86_64
Operating System: Red Hat Enterprise Linux Server 7.8 (Maipo)
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 7.777GiB
Name: <hostname>
ID: RCPU:PSF5:DJ7D:JECW:X7CF:GWP6:52QE:K7LR:OASA:7LQX:SPX6:QIFX
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
 <url>:9091
 <url>:9092
 cstmdevlvrpo51:9091
 127.0.0.0/8
Live Restore Enabled: false
1 Like