Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to setup remote docker hosts with a TLS certificate? #2353

Closed
2 tasks done
FastHogi opened this issue Nov 26, 2022 · 4 comments · Fixed by #2852
Closed
2 tasks done

How to setup remote docker hosts with a TLS certificate? #2353

FastHogi opened this issue Nov 26, 2022 · 4 comments · Fixed by #2852
Labels
help

Comments

@FastHogi
Copy link

⚠️ Please verify that this bug has NOT been raised before.

  • I checked and didn't find similar issue

🛡️ Security Policy

📝 Describe your problem

First of all, thank you very much for this beautiful peace of software. I'm using it since a couple of month now without any big issues.

I'm monitoring multiple remote machines which are running different docker containers. I'm able to access these containers via docker remote port 2375 successfully. But port 2375 is not protected by default, which is a security risk. Now I protected my docker sockets with a TLS certificate as decribed here.

In WhatUpDocker I can access the socket with a TLS client certifacte successfully with the follwing docker-compose settings:

version: '3'
services:
  whatsupdocker:
    image: fmartinou/whats-up-docker:latest
    container_name: whatsupdocker
    restart: always
    volumes:
      - /data/certificates/ca-public.pem:/tmp/ca-public.pem
      - /data/certificates/client-certificate.pem:/tmp/client-certificate.pem
      - /data/certificates/client-key.pem:/tmp/client-key.pem
    ports:
      - 3010:3000
    environment:
      - TZ=Europe/Berlin
      - WUD_WATCHER_PILIVE_CRON=4 4 * * *
      - WUD_WATCHER_PILIVE_HOST=192.168.1.20
      - WUD_WATCHER_PILIVE_PORT=2376
      - WUD_WATCHER_PILIVE_CAFILE=/tmp/ca-public.pem
      - WUD_WATCHER_PILIVE_CERTFILE=/tmp/client-certificate.pem
      - WUD_WATCHER_PILIVE_KEYFILE=/tmp/client-key.pem

But I can't figure out, how to use the same TLS client certificate files in Uptime Kuma. I tried the following docker-compose settings for Uptime-Kuma without success:

version: '3'
services:
  uptime-kuma:
    image: louislam/uptime-kuma
    container_name: uptime-kuma
    restart: always
    ports:
      - 3001:3001
    volumes:
      - /data/uptime-kuma:/app/data
      - /data/uptime-kuma/certs/ca-public.pem:/app/data/certs/ca-public.pem
      - /data/uptime-kuma/certs/client-certificate.pem:/app/data/certs/client-certificate.pem
      - /data/uptime-kuma/certs/client-key.pem:/app/data/certs/client-key.pem
    environment:
      - NODE_EXTRA_CA_CERTS=/app/data/certs/ca-public.pem
      - SSL_CERT=/app/data/certs/client-certificate.pem
      - SSL_KEY=/app/data/certs/client-key.pem

If I change the docker daemon setting in the docker host setup dialog from http://192.168.1.20:2375 to https://192.168.1.20:2376 I only get a "socket hang up" error messages. The WIKI page "How to Monitor Docker Containers" isn't explaining, how we can use Port 2376 with a TLS certificate.

It would be great, if we could have 3 more options to browse for the TLS files in the dialog, if I would select a "HTTPS" in the drop-down box. Or as an alternative to set these as an environment var.

How can I use my TLS client certificate? Any help is appreciated.

🐻 Uptime-Kuma Version

1.18.5

💻 Operating System and Arch

Ubuntu 22.04.1 LTS / Raspberry Pi 3b + Pi 4

🌐 Browser

Firefox 107

🐋 Docker Version

Docker 20.10.12

🟩 NodeJS Version

No response
@FastHogi FastHogi added the help label Nov 26, 2022
@BuxtonCalvin
Copy link

I have the exact same issue. I'd like to be able to somehow add client certs to the remote docker connection set up. As it is, I can't access the remote docker server with http or https as I'm strictly using https for other apps that connect to a remote docker service on my local lan.

@marekful
Copy link
Contributor

marekful commented Feb 27, 2023
edited

This isn't going to work currently as that would require using mutual TLS on the client side to connect to docker hosts. This also implies a new admin section where you can upload docker client certificates and since these certificates are per host, you'd need to be able to upload these for multiple hosts and then during a Docker Host Setup process in Kuma you would assign a client certificate to a host so in the future the selected client certificate would be used for the given docker host.

+1 for this feature request!

@marekful marekful mentioned this issue Feb 27, 2023
Merged
7 tasks
@github-actions
Copy link

We are clearing up our old issues and your ticket has been open for 3 months with no activity. Remove stale label or comment or this will be closed in 2 days.

@github-actions github-actions bot added the Stale label May 28, 2023
@lcasale
Copy link

lcasale commented May 28, 2023

I'm not sure if the feature is missing or instructions are unclear, but I would like to know how to do this as well

@github-actions github-actions bot removed the Stale label May 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

FEAT: Allow client side TLS for Docker hosts marekful/uptime-kuma
4 participants
@lcasale @marekful @BuxtonCalvin @FastHogi