As a developer, i like to use Jenkins Automation server to trigger certain tasks. Some of these tasks should run on an external docker server. Fortunately, a plugin is available to do this. However it becomes difficult when trying to secure the connection between Jenkins and the remote Docker Instance. This is due to the way how e.g Swarm creates certificates for its’ nodes. Take the following example:
sudo docker swarm init sudo docker swarm ca --rotate --ca-cert /home/myuser/ca.pem --ca-key /home/myuser/ca-key-decrypted.pem
This initializes the current node as a swarm manager and automatically creates certificates for each node, signed by the CA we defined. So far so good. Lets take a look at the certificate created for the node:
sudo openssl x509 -in /var/lib/docker/swarm/certificates/swarm-node.crt | openssl x509 -noout -text
The result looks like this:
Certificate: Data: Version: 3 (0x2) Serial Number: 0b:01:77:10:f0:7b:de:0c:17:22:94:d8:06:8b:bd:00:2a:c9:b5:3f Signature Algorithm: sha512WithRSAEncryption Issuer: C=AB, ST=CD, O=EFGH, CN=myhostname.example.com Validity Not Before: Apr 23 09:14:00 2021 GMT Not After : Jul 22 10:14:00 2021 GMT Subject: O=bfhuczywedsxgk7qqlbewime9, OU=swarm-manager, CN=0il4objx3hnpuukfpmgnu1zqf Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:67:8d:3d:9c:c4:0e:f3:eb:61:59:33:34:c6:76: 41:bc:1e:6d:04:2f:23:4e:23:d0:a5:53:5a:ee:3d: b1:25:46:d4:cc:9f:c1:cf:9d:ad:91:36:c5:f7:62: 9c:23:e3:3a:49:bd:f5:0b:b3:a7:5a:83:e0:09:75: 4c:13:d6:c2:96 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: A7:21:A5:98:0A:14:8F:82:40:B6:EE:DB:DB:5B:41:F0:D1:65:3A:42 X509v3 Authority Key Identifier: keyid:C4:7F:BD:20:6B:C4:69:BC:33:AC:5C:08:41:5C:D8:07:70:D5:2A:D3 X509v3 Subject Alternative Name: DNS:swarm-manager, DNS:0il4objx3hnpuukfpmgnu1zqf, DNS:swarm-ca Signature Algorithm: sha512WithRSAEncryption 59:c6:83:58:e8:79:a5:19:ba:8e:23:4c:07:2a:b6:2b:b7:ca: ....
When trying to connect to the socket where the dockerd of the swarm-node is listening on via TLS (tcp://myhost.example.com:2377), the certificate cannot be verified, as the SANs “swarm-manager”, “0il4objx3hnpuukfpmgnu1zqf”, “swarm-ca” dont match the hostname “myhost.example.com”.
This leads to e.g. Jenkins not being able to connect to a remote docker instance, as the certificate will never contain the hostname “myhost.example.com”. The certificate also does not contain an IP SAN to allow to connect securely.
Please let me know, how to handle this issue? It must be possible to connect to the API remotely without sacrificing security!