Docker Community Forums

Share and learn in the Docker community.

Specify SSL cert for the web interface


(James) #1

I’d like to be able to provide UCP with a vendor signed SSL cert for its web connections. As far as I could see, my only option is to provide a CA cert at installation time, which I am not able to do. I’m happy to have UCP use it’s internally generated certs to secure communication to all of the nodes, but I’d like the web interface to be secured with more than a self-signed cert, since I am going to be asking my devs to provide their LDAP credentials to login.

Trusted Registry made this process very easy, and I’d like to see the same functionality in UCP. If there is a method I am missing, please let me know.

Thank you,
-James


(Vivek Saraswat) #2

Hi James,

Just wanted to check, but is there a reason why the following from the documentation (https://docs.docker.com/ucp/reference/install/) doesn’t work for you?

“You can optionally use an externally generated and signed certificate for the UCP controller by using the --external-ucp-ca. Create a storage volume named ucp-controller-server-certs with ca.pem, cert.pem, and key.pem in the root directory before running the install.”

The parameter flag name is slightly confusing–what is actually being asked for is not a full CA but a server certificate, which is I believe what you are looking for. We may change the flag name in a later release to be more consistent with this.


(James) #3

I read that section quickly and the name of the option led me to believe that it was asking for an intermediate cert to sign all of the internal certs UCP generates. Now that you point it out, that seems like exactly what I need.

Thank you for your help!

-James


(James) #4

Out of curiosity, are there any plans to include a similar interface to the one that DTR uses? The cert will expire in three years, and I’d like to be able to replace it without having to reinstall.

Thank you,
-James


(Vishnu Bharathi) #5

It would be really helpful to have this feature in UCP. DTR made life much easier with this feature.


(Vivek Saraswat) #6

What is the particular feature request here? Or is it specifically about doing it the same way DTR does?


(James) #7

Any way to update the web interface cert without having to do a complete reinstall would be great. Command line or web based.

Thank you,
-James


(Vivek Saraswat) #8

Understood. You can expect the ability to regenerate certs without reinstall in the next release of UCP.