Using SSL with Portainer

By default, Portainer’s web interface and API are exposed over HTTP. Because this is not secure, we recommend enabling SSL, particularly in a production environment.
On Docker Standalone
To do so, you can use the --ssl, --sslcert and --sslkey flags. Portainer expects certificates in PEM format.
When using your own externally-issued certificate, ensure that you include the full certificate chain (including any intermediate certificates) in the file you provide via --sslcert. Without this you may face certificate validation issues. Your certificate chain can be obtained either from your certificate issuer or via the What's My Chain Cert? website.
To generate and use a self-signed certificate, use the following command on your server:
1
openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -keyout ~/local-certs/portainer.key -out ~/local-certs/portainer.crt
Copied!
Next, start Portainer referencing the certificate and key file you just created:
1
docker run -d -p 443:9000 -p 8000:8000 \
2
    --name portainer --restart always \
3
    -v /var/run/docker.sock:/var/run/docker.sock \
4
    -v portainer_data:/data \
5
    -v ~/local-certs:/certs \
6
    portainer/portainer-ee --ssl --sslcert /certs/portainer.crt --sslkey /certs/portainer.key
Copied!
As an alternative, Certbot can be used to generate a certificate and a key. However, because Docker has issues with symlinks, if you use Certbot, you will need to pass both the 'live' and 'archive' directories as volumes (shown below).
1
docker run -d -p 443:9000 -p 8000:8000 \
2
    --name portainer --restart always \
3
    -v /var/run/docker.sock:/var/run/docker.sock \
4
    -v portainer-data:/data \
5
    -v /etc/letsencrypt/live/yourdomain:/certs/live/yourdomain:ro \
6
    -v /etc/letsencrypt/archive/yourdomain:/certs/archive/yourdomain:ro \
7
    portainer/portainer-ee --ssl --sslcert /certs/live/yourdomain/cert.pem --sslkey /certs/live/yourdomain/privkey.pem
Copied!
Now, you can navigate to https://$ip-docker-host.
Docker Swarm
Securing Portainer on Docker Swarm is quite simple. The following example assumes that you have an external overlay network and external secrets. If you do not, simply create them:
To create the overlay network:
1
docker network create --driver overlay portainer
Copied!
To create the secrets:
1
docker secret create portainer.example.com.cer portainer.example.com.cert
2
docker secret create portainer.example.com.key portainer.example.com.key
Copied!
See Docker's own official documentation for more information about networks and secrets.
1
version: '3.2'
2
​
3
services:
4
  agent:
5
    image: portainer/agent:2.0.0
6
    volumes:
7
      - /var/run/docker.sock:/var/run/docker.sock
8
      - /var/lib/docker/volumes:/var/lib/docker/volumes
9
    networks:
10
      - portainer
11
    deploy:
12
      mode: global
13
      placement:
14
        constraints: [node.platform.os == linux]
15
​
16
  portainer:
17
    image: portainer/portainer-ee:latest
18
    command: -H tcp://tasks.agent:9001 --tlsskipverify --ssl --sslcert /run/secrets/portainer.example.com.cer --sslkey /run/secrets/portainer.example.com.key
19
    ports:
20
      - "9000:9000"
21
      - "8000:8000"
22
    volumes:
23
      - /data/portainer:/data
24
    networks:
25
      - portainer
26
    deploy:
27
      mode: replicated
28
      replicas: 1
29
      placement:
30
        constraints: [node.role == manager]
31
    secrets:
32
        - portainer.example.com.cer
33
        - portainer.example.com.key
34
​
35
networks:
36
  portainer:
37
    external: true
38
​
39
secrets:
40
  portainer.example.com.cer:
41
    external: true
42
  portainer.example.com.key:
43
    external: true
Copied!

Advanced Topics - Previous

Security and compliance

Next - Advanced Topics

Using Portainer with reverse proxies

Last modified 6d ago

Copy link

Contents

On Docker Standalone

Docker Swarm