Docker Community Forums

Share and learn in the Docker community.

Validate Swarm Node Certificates

As a developer, i like to use Jenkins Automation server to trigger certain tasks. Some of these tasks should run on an external docker server. Fortunately, a plugin is available to do this. However it becomes difficult when trying to secure the connection between Jenkins and the remote Docker Instance. This is due to the way how e.g Swarm creates certificates for its’ nodes. Take the following example:

sudo docker swarm init
sudo docker swarm ca --rotate --ca-cert /home/myuser/ca.pem --ca-key /home/myuser/ca-key-decrypted.pem

This initializes the current node as a swarm manager and automatically creates certificates for each node, signed by the CA we defined. So far so good. Lets take a look at the certificate created for the node:

sudo openssl x509 -in /var/lib/docker/swarm/certificates/swarm-node.crt | openssl x509 -noout -text

The result looks like this:

Certificate:
Data:
    Version: 3 (0x2)
    Serial Number:
        0b:01:77:10:f0:7b:de:0c:17:22:94:d8:06:8b:bd:00:2a:c9:b5:3f
Signature Algorithm: sha512WithRSAEncryption
    Issuer: C=AB, ST=CD, O=EFGH, CN=myhostname.example.com
    Validity
        Not Before: Apr 23 09:14:00 2021 GMT
        Not After : Jul 22 10:14:00 2021 GMT
    Subject: O=bfhuczywedsxgk7qqlbewime9, OU=swarm-manager, CN=0il4objx3hnpuukfpmgnu1zqf
    Subject Public Key Info:
        Public Key Algorithm: id-ecPublicKey
            Public-Key: (256 bit)
            pub:
                04:67:8d:3d:9c:c4:0e:f3:eb:61:59:33:34:c6:76:
                41:bc:1e:6d:04:2f:23:4e:23:d0:a5:53:5a:ee:3d:
                b1:25:46:d4:cc:9f:c1:cf:9d:ad:91:36:c5:f7:62:
                9c:23:e3:3a:49:bd:f5:0b:b3:a7:5a:83:e0:09:75:
                4c:13:d6:c2:96
            ASN1 OID: prime256v1
            NIST CURVE: P-256
    X509v3 extensions:
        X509v3 Key Usage: critical
            Digital Signature, Key Encipherment
        X509v3 Extended Key Usage:
            TLS Web Server Authentication, TLS Web Client Authentication
        X509v3 Basic Constraints: critical
            CA:FALSE
        X509v3 Subject Key Identifier:
            A7:21:A5:98:0A:14:8F:82:40:B6:EE:DB:DB:5B:41:F0:D1:65:3A:42
        X509v3 Authority Key Identifier:
            keyid:C4:7F:BD:20:6B:C4:69:BC:33:AC:5C:08:41:5C:D8:07:70:D5:2A:D3

        X509v3 Subject Alternative Name:
            DNS:swarm-manager, DNS:0il4objx3hnpuukfpmgnu1zqf, DNS:swarm-ca
Signature Algorithm: sha512WithRSAEncryption
     59:c6:83:58:e8:79:a5:19:ba:8e:23:4c:07:2a:b6:2b:b7:ca:
     ....

When trying to connect to the socket where the dockerd of the swarm-node is listening on via TLS (tcp://myhost.example.com:2377), the certificate cannot be verified, as the SANs “swarm-manager”, “0il4objx3hnpuukfpmgnu1zqf”, “swarm-ca” dont match the hostname “myhost.example.com”.

This leads to e.g. Jenkins not being able to connect to a remote docker instance, as the certificate will never contain the hostname “myhost.example.com”. The certificate also does not contain an IP SAN to allow to connect securely.

Please let me know, how to handle this issue? It must be possible to connect to the API remotely without sacrificing security!

1 Like