Using SSL with Portainer

By default, Portainer’s web interface and API are exposed over HTTP. Because this is not secure, we recommend enabling SSL, particularly in a production environment.
On Docker Standalone
To do so, you can use the --ssl, --sslcert and --sslkey flags. Portainer expects certificates in PEM format.
When using your own externally-issued certificate, ensure that you include the full certificate chain (including any intermediate certificates) in the file you provide via --sslcert. Without this you may face certificate validation issues. Your certificate chain can be obtained either from your certificate issuer or via the What's My Chain Cert? website.
To generate and use a self-signed certificate, use the following command on your server:
openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -keyout ~/local-certs/portainer.key -out ~/local-certs/portainer.crt
Next, start Portainer referencing the certificate and key file you just created:
docker run -d -p 443:9000 -p 8000:8000 \
    --name portainer --restart always \
    -v /var/run/docker.sock:/var/run/docker.sock \
    -v portainer_data:/data \
    -v ~/local-certs:/certs \
    portainer/portainer-ee --ssl --sslcert /certs/portainer.crt --sslkey /certs/portainer.key
As an alternative, Certbot can be used to generate a certificate and a key. However, because Docker has issues with symlinks, if you use Certbot, you will need to pass both the 'live' and 'archive' directories as volumes (shown below).
docker run -d -p 443:9000 -p 8000:8000 \
    --name portainer --restart always \
    -v /var/run/docker.sock:/var/run/docker.sock \
    -v portainer-data:/data \
    -v /etc/letsencrypt/live/yourdomain:/certs/live/yourdomain:ro \
    -v /etc/letsencrypt/archive/yourdomain:/certs/archive/yourdomain:ro \
    portainer/portainer-ee --ssl --sslcert /certs/live/yourdomain/cert.pem --sslkey /certs/live/yourdomain/privkey.pem
Now, you can navigate to https://$ip-docker-host.
Docker Swarm
Securing Portainer on Docker Swarm is quite simple. The following example assumes that you have an external overlay network and external secrets. If you do not, simply create them:
To create the overlay network:
docker network create --driver overlay portainer
To create the secrets:
docker secret create portainer.example.com.cer portainer.example.com.cert
docker secret create portainer.example.com.key portainer.example.com.key
See Docker's own official documentation for more information about networks and secrets.
version: '3.2'
​
services:
  agent:
    image: portainer/agent:2.0.0
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /var/lib/docker/volumes:/var/lib/docker/volumes
    networks:
      - portainer
    deploy:
      mode: global
      placement:
        constraints: [node.platform.os == linux]
​
  portainer:
    image: portainer/portainer-ee:latest
    command: -H tcp://tasks.agent:9001 --tlsskipverify --ssl --sslcert /run/secrets/portainer.example.com.cer --sslkey /run/secrets/portainer.example.com.key
    ports:
      - "9000:9000"
      - "8000:8000"
    volumes:
      - /data/portainer:/data
    networks:
      - portainer
    deploy:
      mode: replicated
      replicas: 1
      placement:
        constraints: [node.role == manager]
    secrets:
        - portainer.example.com.cer
        - portainer.example.com.key
​
networks:
  portainer:
    external: true
​
secrets:
  portainer.example.com.cer:
    external: true
  portainer.example.com.key:
    external: true

Advanced Topics - Previous

Security and compliance

Next - Advanced Topics

Using Portainer with reverse proxies

Last modified 10mo ago

Copy link

Edit on GitHub

Outline

On Docker Standalone

Docker Swarm