What are the names of the SSL certs that need to specified for connection to a SSL protected docker socket?

[kevdogg]

Hi --
I've read the documentation and it appears the watchtower can connect to a docker daemon over a protected SSL TCP connection.

My docker daemon on the host is started with the following parameters (using systemd):

ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:2376 --tlsverify --tlscacert=/etc/docker/certs/CA.pem --tlscert=/etc/docker/certs/server-cert.pem --tlskey=/etc/docker/certs/server-key.pem

When trying to connect to the docker daemon on the host I set up things similar to how the docker documentation specified:

I created a .docker directory within the root's home directory
The CA cert needed to be specifically named ca.pem, client cert specifically named cert.pem and client key specifically named key.pem.
export DOCKER_HOST=tcp://xxxxx.com:2376 DOCKER_TLS_VERIFY=1

So having setting this up on the docker host, I'm trying to determine how to set this up within the watchtower container.
I'm not running Docker machine, so I don't know what the certificates are specifically called. The instructions say:

"you simply need to volume mount the certificates generated by docker-machine into the watchtower container and optionally specify --tlsverify flag."

What are the names of the certs that have contained within the /etc/ssl/docker directory? ca.pem, cert.pem and key.pem??? The instructions aren't really clear.

Thanks for any information

[piksel]

I have never tried it, but from what I see in the documentation you can simply mount the folder where you placed your client certs somewhere (like /etc/ssl/docker) and point to that folder in the environment variable DOCKER_CERT_PATH.
It should be the same files as for the docker client, are you trying to mount them individually?

[kevdogg]

I've got it working however I had to do some research and perhaps you could change to documentation to reflect or be more specific.
The three files in the directory need to be name ca.pm, cert.pem and key.pem. From my testing they can't be named anything else since there is a setting like "CA_FILE=customca.pem", "CERT_FILE=customcert.pem", "KEY_FILE=customkey.pem". Some people use the .crt extension which I didn't test for. I've run into this problem with other programs as well such as docker itself when you have to drop client file within a ~/.docker directory. The client cert file need to be named similarly (ca.pem, cert.pem, key.pem). A lot of times when making self-signed certs I like to be more descriptive in my naming scheme since with multiple certs and keys its a lot easier to recognize them by name rather than the folder they are in.

[piksel]

Yeah, I guess the reason for it not being mentioned in our documentation is that it's just forwarding it to the docker client which may have those restrictions.