dockerdocker-containerself-signed-certificate

Self-signed certificate not work inside docker for communication among containers


I have a docker-compose in which minio, minio/kes and vault talk together. Both minio/kes and vault need TLS, and I used self-signed method with IP address to create certificate for them. I use this command to generate certificate:

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout server.key -out server.cert \
       -subj "/C=/ST=/L=/O=/CN=localhost" -addext "subjectAltName = IP:127.0.0.1"

here is my docker-compose file:

version: '3.7'
services:
  minio:
    image: minio/minio:RELEASE.2021-02-01T22-56-52Z
    container_name: minio
    restart: always
    volumes:
      - /home/zahra/docker/minio/data:/data
      - /home/zahra/docker/kes/certs:/root/.minio/kes/certs
    ports:
      - "9003:9000"
    expose:
      - "9003"
    environment:
      MINIO_ROOT_USER: minio
      MINIO_ROOT_PASSWORD: minio123
      MINIO_KMS_KES_ENDPOINT: https://minio-kes:7373
      MINIO_KMS_KES_CERT_FILE: /root/.minio/kes/certs/client.cert
      MINIO_KMS_KES_KEY_FILE: /root/.minio/kes/certs/client.key
      MINIO_KMS_KES_CA_PATH: /root/.minio/kes/certs/server.cert
      MINIO_KMS_KES_KEY_NAME: test-key
      MINIO_KMS_AUTO_ENCRYPTION: 1
    command: server /data
    healthcheck:
      test: [ "CMD", "curl", "-f", "http://localhost:9000/minio/health/live" ]
      interval: 30s
      timeout: 20s
      retries: 3    
    networks: 
      - minio-network 
    
  minio-kes:
    image: minio/kes:v0.19.2
    container_name: minio-kes
    restart: always
    volumes:
      - /home/zahra/docker/kes/certs:/root/.kes/certs    
      - /home/zahra/docker/kes/config:/root/.kes/config
      - /home/zahra/docker/vault/certs:/root/.kes/vault/certs
    environment:
      - KES_SERVER=https://minio-vault:7373
      - KES_CLIENT_KEY=/root/.kes/certs/client.key
      - KES_CLIENT_CERT=/root/.kes/certs/client.cert      
    ports:
      - "7373:7373"
    command: server --config=/root/.kes/config/config.yaml --auth=off 
    expose:
      - "7373"
    networks:  
      - minio-network 
    depends_on:
      - minio-vault    
      
  minio-vault:
        image: vault:latest
        container_name: minio-vault
        ports:
          - "8200:8200"
        volumes:
          - /home/zahra/docker/vault/file:/vault/file
          - /home/zahra/docker/vault/config:/vault/config
          - /home/zahra/docker/vault/certs:/vault/certs
          - /home/zahra/docker/vault/policy:/vault/policy
        environment:
          - VAULT_ADDR=https://127.0.0.1:8200
          - VAULT_SKIP_VERIFY=true
          - VAULT_TOKEN=MY-TOKEN
        cap_add:
          - IPC_LOCK
        entrypoint: vault server -config=/vault/config/config.json
        networks:  
          - minio-network  
     
networks:
  minio-network:
    driver: bridge

My problem is that inside docker, I have to use the container-name instead of the IP address of my services, so it gives me the following error: x509 :certificate is not valid for any names but wanted to match minio-kes or x509 :certificate is not valid for any names but wanted to match minio-vault.

minio-kes and minio-kes are my container names.

I tried to replace the common name (CN) while generating the certificate with the name of my container, but again it didn’t work. For example:

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout server.key -out server.cert \
       -subj "/C=/ST=/L=/O=/CN=minio-kes" -addext "subjectAltName = IP:127.0.0.1"

I don’t know how I should generate certificate in order to work inside docker.


Solution

  • If you are using the domain names to connect, you must add these domain names to the certificate. This can be achieved by adding -addext "subjectAltName = DNS:minio-kes" to the openssl command.

    A certificate can be made valid for multiple domain names. Just add the parameter multiple times in order to add multiple domain names to the certificate.

    Also see this answer for further details.