Using your own SSL certificate with Portainer

By default, Portainer’s web interface and API is exposed over HTTPS with a self-signed certificate generated by the installation. This can be replaced with your own SSL certificate either after installation via the Portainer UI or during installation, as explained in this article.

Using your own SSL certificate on Docker Standalone

Use the --sslcert and --sslkey flags during installation.

Upload your certificate (including the chain) and key to the server running Portainer, then start Portainer referencing them. The following command assumes your certificates are stored in /path/to/your/certs with the filenames portainer.crt and portainer.key, and bind-mounts the directory to /certs in the Portainer container:

docker run -d -p 9443:9443 -p 8000:8000 \
    --name portainer --restart always \
    -v /var/run/docker.sock:/var/run/docker.sock \
    -v portainer_data:/data \
    -v /path/to/your/certs:/certs \
    portainer/portainer-ee:sts \
    --sslcert /certs/portainer.crt \
    --sslkey /certs/portainer.key

docker run -d -p 9443:9443 -p 8000:8000 \
    --name portainer --restart always \
    -v /var/run/docker.sock:/var/run/docker.sock \
    -v portainer_data:/data \
    -v /path/to/your/certs:/certs \
    portainer/portainer-ce:sts \
    --sslcert /certs/portainer.crt \
    --sslkey /certs/portainer.key

Alternatively, Certbot can be used to generate a certificate and a key. Because Docker has issues with symlinks, if you use Certbot you will need to pass both the 'live' and 'archive' directories as volumes, as well as use the full chain certificate. For example:

docker run -d -p 9443:9443 -p 8000:8000 \
    --name portainer --restart always \
    -v /var/run/docker.sock:/var/run/docker.sock \
    -v portainer_data:/data \
    -v /etc/letsencrypt/live/yourdomain:/certs/live/yourdomain:ro \
    -v /etc/letsencrypt/archive/yourdomain:/certs/archive/yourdomain:ro \
    portainer/portainer-ee:sts \
    --sslcert /certs/live/yourdomain/fullchain.pem \
    --sslkey /certs/live/yourdomain/privkey.pem

docker run -d -p 9443:9443 -p 8000:8000 \
    --name portainer --restart always \
    -v /var/run/docker.sock:/var/run/docker.sock \
    -v portainer_data:/data \
    -v /etc/letsencrypt/live/yourdomain:/certs/live/yourdomain:ro \
    -v /etc/letsencrypt/archive/yourdomain:/certs/archive/yourdomain:ro \
    portainer/portainer-ce:sts \
    --sslcert /certs/live/yourdomain/fullchain.pem \
    --sslkey /certs/live/yourdomain/privkey.pem

When you're finished, you can navigate to https://$ip-docker-host:9443.

Using your own SSL certificate on Docker Swarm

To provide your own SSL certificate for Docker Swarm, simply define the portainer.sslcert and portainer.sslkey secrets, and the installation manifest will automatically detect and use them:

Next, retrieve the stack YML manifest:

Finally, use the downloaded YML manifest to deploy your stack:

For more information about secrets, read Docker's own documentation.

Using your own SSL certificate on Kubernetes (via Helm)

If it doesn't already exist, create the portainer namespace:

Next, create a TLS secret containing the full certificate chain and matching private key:

Install via helm with the tls.existingSecret parameter set to the name of the secret you just created: