Using SSL with Portainer
By default, Portainer’s web interface and API are exposed over HTTP. Because this is not secure, we recommend enabling SSL, particularly in a production environment.

On Docker Standalone

To do so, you can use the --ssl, --sslcert and --sslkey flags. Portainer expects certificates in PEM format.
When using your own externally-issued certificate, ensure that you include the full certificate chain (including any intermediate certificates) in the file you provide via --sslcert. Without this you may face certificate validation issues. Your certificate chain can be obtained either from your certificate issuer or via the What's My Chain Cert? website.
To generate and use a self-signed certificate, use the following command on your server:
1
openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -keyout ~/local-certs/portainer.key -out ~/local-certs/portainer.crt
Copied!
Next, start Portainer referencing the certificate and key file you just created:
1
docker run -d -p 443:9000 -p 8000:8000 \
2
--name portainer --restart always \
3
-v /var/run/docker.sock:/var/run/docker.sock \
4
-v portainer_data:/data \
5
-v ~/local-certs:/certs \
6
portainer/portainer-ee --ssl --sslcert /certs/portainer.crt --sslkey /certs/portainer.key
Copied!
As an alternative, Certbot can be used to generate a certificate and a key. However, because Docker has issues with symlinks, if you use Certbot, you will need to pass both the 'live' and 'archive' directories as volumes (shown below).
1
docker run -d -p 443:9000 -p 8000:8000 \
2
--name portainer --restart always \
3
-v /var/run/docker.sock:/var/run/docker.sock \
4
-v portainer-data:/data \
5
-v /etc/letsencrypt/live/yourdomain:/certs/live/yourdomain:ro \
6
-v /etc/letsencrypt/archive/yourdomain:/certs/archive/yourdomain:ro \
7
portainer/portainer-ee --ssl --sslcert /certs/live/yourdomain/cert.pem --sslkey /certs/live/yourdomain/privkey.pem
Copied!
Now, you can navigate to https://$ip-docker-host.

Docker Swarm

Securing Portainer on Docker Swarm is quite simple. The following example assumes that you have an external overlay network and external secrets. If you do not, simply create them:
To create the overlay network:
1
docker network create --driver overlay portainer
Copied!
To create the secrets:
1
docker secret create portainer.example.com.cer portainer.example.com.cert
2
docker secret create portainer.example.com.key portainer.example.com.key
Copied!
See Docker's own official documentation for more information about networks and secrets.
1
version: '3.2'
2
3
services:
4
agent:
5
image: portainer/agent:2.0.0
6
volumes:
7
- /var/run/docker.sock:/var/run/docker.sock
8
- /var/lib/docker/volumes:/var/lib/docker/volumes
9
networks:
10
- portainer
11
deploy:
12
mode: global
13
placement:
14
constraints: [node.platform.os == linux]
15
16
portainer:
17
image: portainer/portainer-ee:latest
18
command: -H tcp://tasks.agent:9001 --tlsskipverify --ssl --sslcert /run/secrets/portainer.example.com.cer --sslkey /run/secrets/portainer.example.com.key
19
ports:
20
- "9000:9000"
21
- "8000:8000"
22
volumes:
23
- /data/portainer:/data
24
networks:
25
- portainer
26
deploy:
27
mode: replicated
28
replicas: 1
29
placement:
30
constraints: [node.role == manager]
31
secrets:
32
- portainer.example.com.cer
33
- portainer.example.com.key
34
35
networks:
36
portainer:
37
external: true
38
39
secrets:
40
portainer.example.com.cer:
41
external: true
42
portainer.example.com.key:
43
external: true
Copied!
Last modified 9d ago