docker swarm certificate expiry

Question

I am trying to create a docker swarm that has certificates that expire after 1 year or more. The documentation states the syntax and I tried this docker swarm init --cert-expiry 8760h0m0s However under cat /var/lib/docker/swarm/certificates/swarm-node.crt when I decipher the certificate the validity is still 3 months. How do I make sure that validity is what I have set it to?

Answer 1

You can generate certificates manually using the OpenSSL tool and configure Docker daemon to use these certificates.

Generate Server Certificates

1. Generate CA private and public keys:

   openssl genrsa -aes256 -out ca-key.pem 4096
   openssl req -new -x509 -days 1000 -key ca-key.pem -sha256 -out ca.pem
   

2. Create a server key and certificate signing request (CSR):

   openssl genrsa -out server-key.pem 4096
   openssl req -subj "/CN=my.company.com" -sha256 -new -key server-key.pem -out server.csr
   

3. Sign the public key with CA:

   echo subjectAltName = DNS:my.company.com,IP:127.0.0.1 >> extfile.cnf
   echo extendedKeyUsage = serverAuth >> extfile.cnf
   

4. Generate the key:

   openssl x509 -req -days 1000 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf
   

Generate Client Certificates

1. Create a client key and certificate signing request:

   openssl genrsa -out key.pem 4096
   openssl req -subj '/CN=client' -new -key key.pem -out client.csr
   

2. Create an extensions config file:

   echo extendedKeyUsage = clientAuth >> extfile.cnf
   

3. Sign the private key:

   openssl x509 -req -days 1000 -sha256 -in client.csr -CA ../server/ca.pem -CAkey ../server/ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf
   

4. Export cert.pem into PFX format to be added into Trusted Root Certification Authorities

   openssl pkcs12 -export -in cert.pem -inkey key.pem -out cert.pfx
   

Configure Docker daemon with /etc/docker/daemon.json

{
    "debug": false,
    "tls": true,
    "tlsverify": true,
    "tlscacert": "/etc/docker/certificates/server/ca.pem",
    "tlscert": "/etc/docker/certificates/server/server-cert.pem",
    "tlskey": "/etc/docker/certificates/server/server-key.pem",
    "hosts": ["tcp://0.0.0.0:2376", "unix:///var/run/docker.sock"]
}

Start Docker Service

systemctl start docker

Have a look at this article Building Jenkins Pipelines – Setting Up Docker Swarm. There's a step-by-step guide there.

Answer 2

Run the following commands on any of the management nodes:

docker swarm update --cert-expiry 8760h0m0s
docker swarm ca --rotate | openssl x509 -text -noout

The first one will set certificate expiry date. The last one will actually apply changes and rotate certificates on all swarm nodes automatically. If not interested in decoding cert text output, the openssl part can be omitted.