Create and Apply SSL Certificates for Portainer 🌱

Prerequisites

Create Your SSL Certificate

  1. Launch XCA
  2. Open the PKI database if it is not already (File > Open DataBase), enter password
  3. Click on the Certificates tab, right click on your Intermediate CA certificate
  4. Select New
  5. On the Source tab, make sure Use this Certificate for signing is selected
  6. Verify your Intermediate CA certificate is selected from the drop down
  7. Click the Subject tab
  8. Complete the Distinguished Name section

    internalName: ctr.i12bretro.local
    countryName: US
    stateOrProvinceName: Virginia
    localityName: Northern
    organizationName: i12bretro
    organizationUnitName: i12bretro Certificate Authority
    commonName: ctr.i12bretro.local

  9. Click the Generate a New Key button
  10. Enter a name and set the key size to at least 2048
  11. Click Create
  12. Click on the Extensions tab
  13. Select End Entity from the type list
  14. Click Edit next to Subject Alternative Name
  15. Add any DNS or IP addresses that the certificate will identify
  16. Update the validity dates to fit your needs
  17. Click the Key Usage tab
  18. Under Key Usage select Digital Signature, Key Encipherment
  19. Under Extended Key Usage select Web Server and Web Client Authentication
  20. Click the Netscape tab
  21. Select SSL Server
  22. Click OK to create the certificate

Exporting Required Files

  1. In XCA, click on the Certificates tab
  2. Right click the SSL certificate > Export > File
  3. Set the file name to ssl.crt verify the export format is PEM (*.crt)
  4. Click OK
  5. Click the Private Keys tab
  6. Right click the private key generated for the SSL certificate > Export > File
  7. Set the file name to ssl.key and verify the export format is PEM Private (*.pem)
  8. Click OK

Method 1: Applying SSL Certificates to Portainer Web UI

  1. If the Portainer container wasn't setup to listen on 9443, connect to the Docker host and run the following commands
    # list running containers to find the name of the portainer container
    docker ps
    # stop the running portainer container
    docker stop portainer
    # remove the running portainer container
    docker rm portainer --force
    # recreate the portainer container with port 9443
    # modify as needed
    docker run -d -p 8000:8000 -p 9000:9000 -p 9443:9443 --name=portainer --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v ~/docker/portainer:/data portainer/portainer-ce
  2. Open a web browser and navigate to http://DNSorIP:9000
  3. Log into Portainer
  4. Click Settings in the left navigation
  5. Scroll to the SSL certificate section
  6. Click Select file under Upload X.509 certificate > Browse to and select the ssl.crt file created earlier
  7. Click Select file under Upload a private key > Browse to and select the ssl.key file created earlier
  8. Click the Apply Changes button
  9. Update the browser URL to https://DNSorIP:9443
  10. Welcome to Portainer running via SSL

Method 2: Applying SSL Certificates to Portainer CLI

  1. Download WinSCP Download
  2. Extract WinSCP and run the executable
  3. Connect to the Portainer host IP address via WinSCP
  4. Copy the exported .pem files to the Portainer host
  5. Connect to the Docker host and run the following commands
    # list running containers to find the name of the portainer container
    docker ps
    # stop the running portainer container
    docker stop portainer
    # remove the running portainer container
    docker rm portainer --force
    # recreate the portainer container with ssl enabled
    # modify as needed
    docker run -d -p 8000:8000 -p 9000:9000 -p 9443:9443 --name=portainer --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v ~/docker/portainer:/data portainer/portainer-ce --ssl --sslcert /data/ssl.crt --sslkey /data/ssl.key
  6. Open a web browser and navigate to https://DNSorIP:9443
  7. Welcome to Portainer running via SSL

Further Reading: https://documentation.portainer.io/v2.0/deploy/ssl/