BE 2.7
Getting Started
Using Portainer
Administering Portainer
Frequently Asked Questions
Advanced Topics
Get More Help
Contribute to Portainer
Using SSL with Portainer
By default, Portainer’s web interface and API are exposed over HTTP. Because this is not secure, we recommend enabling SSL, particularly in a production environment.
On Docker Standalone
To do so, you can use the
--ssl, --sslcert and --sslkey flags. Portainer expects certificates in PEM format.When using your own externally-issued certificate, ensure that you include the full certificate chain (including any intermediate certificates) in the file you provide via
--sslcert. Without this you may face certificate validation issues. Your certificate chain can be obtained either from your certificate issuer or via the What's My Chain Cert? website.To generate and use a self-signed certificate, use the following command on your server:
1
openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -keyout ~/local-certs/portainer.key -out ~/local-certs/portainer.crt
Copied!
Next, start Portainer referencing the certificate and key file you just created:
1
docker run -d -p 443:9000 -p 8000:8000 \
2
--name portainer --restart always \
3
-v /var/run/docker.sock:/var/run/docker.sock \
4
-v portainer_data:/data \
5
-v ~/local-certs:/certs \
6
portainer/portainer-ee --ssl --sslcert /certs/portainer.crt --sslkey /certs/portainer.key
Copied!
As an alternative, Certbot can be used to generate a certificate and a key. However, because Docker has issues with symlinks, if you use Certbot, you will need to pass both the 'live' and 'archive' directories as volumes (shown below).
1
docker run -d -p 443:9000 -p 8000:8000 \
2
--name portainer --restart always \
3
-v /var/run/docker.sock:/var/run/docker.sock \
4
-v portainer-data:/data \
5
-v /etc/letsencrypt/live/yourdomain:/certs/live/yourdomain:ro \
6
-v /etc/letsencrypt/archive/yourdomain:/certs/archive/yourdomain:ro \
7
portainer/portainer-ee --ssl --sslcert /certs/live/yourdomain/cert.pem --sslkey /certs/live/yourdomain/privkey.pem
Copied!
Now, you can navigate to
https://$ip-docker-host.Docker Swarm
Securing Portainer on Docker Swarm is quite simple. The following example assumes that you have an external overlay network and external secrets. If you do not, simply create them:
To create the overlay network:
1
docker network create --driver overlay portainer
Copied!
To create the secrets:
1
docker secret create portainer.example.com.cer portainer.example.com.cert
2
docker secret create portainer.example.com.key portainer.example.com.key
Copied!
1
version: '3.2'
2
​
3
services:
4
agent:
5
image: portainer/agent:2.0.0
6
volumes:
7
- /var/run/docker.sock:/var/run/docker.sock
8
- /var/lib/docker/volumes:/var/lib/docker/volumes
9
networks:
10
- portainer
11
deploy:
12
mode: global
13
placement:
14
constraints: [node.platform.os == linux]
15
​
16
portainer:
17
image: portainer/portainer-ee:latest
18
command: -H tcp://tasks.agent:9001 --tlsskipverify --ssl --sslcert /run/secrets/portainer.example.com.cer --sslkey /run/secrets/portainer.example.com.key
19
ports:
20
- "9000:9000"
21
- "8000:8000"
22
volumes:
23
- /data/portainer:/data
24
networks:
25
- portainer
26
deploy:
27
mode: replicated
28
replicas: 1
29
placement:
30
constraints: [node.role == manager]
31
secrets:
32
- portainer.example.com.cer
33
- portainer.example.com.key
34
​
35
networks:
36
portainer:
37
external: true
38
​
39
secrets:
40
portainer.example.com.cer:
41
external: true
42
portainer.example.com.key:
43
external: true
Copied!
Copy link
Edit on GitHub