[Docker] Configure Custom TLS Certificates for Docker API Using Docker-in-Docker

Hey there! Have you ever wanted to configure custom TLS certificates for Docker API, but didn’t want to mess up your local Docker environment before you’re sure everything is working smoothly? Well, fear not! I’ve got a secret recipe for you that involves using Docker-in-Docker (DinD) to run a temporary Docker container with custom TLS certificates mounted.

To get started, let’s say you already have your custom TLS certificates ready in the path `/tmp/certs``. You can run the following command to start a temporary Docker container with custom TLS certificates mounted:

docker run -d --rm \
	--privileged --name docker-api-tls \
	-p 0.0.0.0:2376:2376 \
	-v /tmp/certs:/certs \
	-e DOCKER_TLS_CERTDIR=/certs \
	docker:dind

You might be wondering why the port is 2376 instead of 2375. That’s because the default port for Docker API is 2376 when TLS is enabled. Check out the DinD documentation for more details.

Now it’s time to test the Docker API with custom TLS certificates! Use the following command:

curl \
  --cert client-cert.pem \
  --key client-key.pem \
  --cacert ca.pem \
  --tlsv1.2 \
  https://<docker-server>:2376/images/json

If you didn’t run any Docker commands in the temporary Docker container before, you should see an empty output. Hooray!

[]

Once you’re confident that everything is working perfectly, you can stop the temporary Docker container and make your Docker daemon only accept connections from clients providing a certificate signed by your CA with this command:

dockerd \
    --tlsverify \
    --tlscacert=ca.pem \
    --tlscert=server-cert.pem \
    --tlskey=server-key.pem \
    -H=0.0.0.0:2376

If you’re not sure how to generate the custom TLS certificates, don’t worry! You can check out the official documentation for detailed instructions.

By the way, my colleagues and I have found that DinD is incredibly useful in our daily development, especially when we need to create tons of Docker instances for edge development and testing. Why not explore it more? I hope this solution helps you as much as it has helped us!


If this post helped you to solve a problem or provided you with new insights, please upvote it and share your experience in the comments below. Your comments can help others who may be facing similar challenges. Thank you!
Buy Me A Coffee
DigitalOcean Referral Badge
Sign up to get $200, 60-day account credit !