BoxBoat Blog

Service updates, customer stories, and tips and tricks for effective DevOps

BoxBoat Cert Tool: Free Let’s Encrypt Certificates for Docker Datacenter

by Caleb Lloyd | Friday, May 19, 2017 | Docker

BoxBoat Cert Tool: Free Let’s Encrypt Certificates for Docker Datacenter

Docker Datacenter is an extremely useful technology to help your organization deploy and monitor your Dockerized microservices in production. We recently did an in-depth review of Docker Datacenter and recommend that you check it out if you’re not familiar with UCP and DTR.

Docker Datacenter includes two powerful systems for running Docker containers and managing Docker images on-premises, behind your firewall:

  • Docker Universal Control Plane (UCP) is the enterprise-grade cluster management solution from Docker.
  • Docker Trusted Registry (DTR) is the enterprise-grade image storage solution from Docker.

UCP and DTR are both simple to install – a few commands on each node will bootstrap the entire system. Docker provides a fantastic Docker Datacenter install guide that will get you up and running in no time.

One of the things that you will notice out of the box is that UCP and DTR have both automatically included self-signed certificates.

BoxBoat Cert Tool Docker Datacenter UCP/DTR Insecure

There’s a lot of things in the software world that we don’t agree on – tabs vs. spaces, compiled vs. interpreted, but nobody likes having to click through the “This Page is Not Secure” warning! Additionally, the Docker client on developer’s machine will refuse to login to DTR by default:

$ docker login 10.180.252.58
Username: {username}
Password: {password}
  
Error response from daemon: Get https://10.180.252.58/v1/users/: x509: cannot validate certificate for 10.180.252.58 because it doesn't contain any IP SANs

The BoxBoat Cert Tool

BoxBoat is no stranger to installing Docker Datacenter. We install Docker Datacenter on our local machines, in public clouds, and in private clouds. We install it for Proof of Concepts and we install it for Highly Available Enterprise Deployments. We install it here, we install it there, we install it every… you get the point.

We wanted an easy way to get a trusted certificate out of the box, so we created the BoxBoat Cert Tool. The cert tool client is a Go Binary packaged into the boxboat/cert-tool Docker Image. The tool requires a valid token to authenticate to our backend. You can either use the “signup” command (detailed on the cert-tool Docuerhub page) or contact us if you would like a free token for your organization!

The Cert Tool has two main functions. It allows an organization to update DNS records under their own BoxBoat subdomain, [org].boxboat.net. It also allows organizations to obtain free Let’s Encrypt Certificates for UCP and DTR under their BoxBoat subdomain. With two simple commands, we can get the certificate icon to turn from red to green for both UCP and DTR:

$ docker run --rm boxboat/cert-tool dns \
  --boxboat-token {token} \
  --subdomain ucp \
  --ip 10.180.252.130 \
  --subdomain dtr \
  --ip 10.180.252.58
  
Logged in as: caleb.boxboat.net
Updating A record on ucp.caleb.boxboat.net to 10.180.252.130
Success
Updating A record on dtr.caleb.boxboat.net to 10.180.252.58
Success
You may need to wait up to 5 minutes or more for DNS changes to propagate

$ docker run --rm boxboat/cert-tool cert \
  --boxboat-token {token} \
  --accept-tos \
  --email {email} \
  --ucp-subdomain ucp \
  --dtr-subdomain dtr \
  --ucp-username {username} \
  --ucp-password {password}
  
Logged in as: caleb.boxboat.net
Attempting to login to UCP
Successfully logged into UCP
Attempting to login to DTR
Successfully logged into DTR
Generating certificate for ucp.caleb.boxboat.net dtr.caleb.boxboat.net
Certificate Request ID: production.2471.dtr.ucp
Certificate can take up to 5 minutes to generate.
Received Certificate
Updating UCP Certificate
Successfully Updated UCP Certificate
Updating DTR Certificate
Successfully Updated DTR Certificate

Navigating to the new domain reveals a shiny new Let’s Encrypt certificate, trusted by all browsers with no extra configuration.

Best of all, all of the developers in our organization can now login to DTR with no extra configuration.

$ docker login dtr.caleb.boxboat.net
Username: {username}
Password: {password}

Login Succeeded

Does this sound like something that would be useful for your organization? Be sure to check out the Cert Tool on Dockerhub and contact us for help setting up Docker Datacenter!


To learn more about BoxBoat, check out our Services page.

BoxBoat Accelerator

Learn how to best introduce Docker into your organization. Leave your name and email, and we'll get right back to you.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.