Overview
Dockhand supports TLS (Transport Layer Security) for secure connections to remote Docker daemons. This is essential when managing Docker hosts over the network.TLS configuration is per-environment. Each Docker environment can have its own TLS certificates.
When to Use TLS
Use TLS when connecting to Docker over TCP:- Remote Docker hosts - Docker daemon on different server
- Docker over network - Non-local socket connections
- Production deployments - Secure communication required
- Internet-exposed Docker API - Public Docker endpoints
- Local Unix socket (
/var/run/docker.sock) - Docker Desktop
- Same-host containers
Environment Configuration
Configure TLS per-environment in the Dockhand UI:- Go to Settings > Environments
- Create or edit an environment
- Set Connection Type to “Direct (TCP)”
- Set Protocol to
https - Enter Host and Port (default: 2376)
- Provide TLS certificates:
- CA Certificate (ca.pem)
- Client Certificate (cert.pem)
- Client Key (key.pem)
- Optionally enable Skip Verify (not recommended)
Environment Schema
Fromschema/index.ts:23-32:
Certificate Requirements
CA Certificate (ca.pem)
Root certificate authority that signed the server’s certificate.Client Certificate (cert.pem)
Client authentication certificate.Client Key (key.pem)
Private key for client certificate.Generating TLS Certificates
Using Docker’s Script
Docker provides a script to generate TLS certificates:ca.pem- CA certificatecert.pem- Client certificatekey.pem- Client private keyserver-cert.pem- Server certificateserver-key.pem- Server private key
Using OpenSSL
Manual certificate generation:Configuring Docker Daemon
Enable TLS on the Docker daemon:Using daemon.json
/etc/docker/daemon.json
Using systemd
Edit Docker service:Stack Deployment with TLS
When deploying Docker Compose stacks to TLS-enabled environments, Dockhand:- Creates temporary directory for certificates
- Writes PEM files:
ca.pem,cert.pem,key.pem - Sets environment variables:
DOCKER_TLS=1DOCKER_CERT_PATH=/path/to/certsDOCKER_TLS_VERIFY=1(or0if skip verify)
- Runs
docker composecommand - Cleans up temporary certificates
stacks.ts:1026-1059:
Skip TLS Verification
You can disable certificate verification:DOCKER_TLS_VERIFY=0.
Use only for:
- Self-signed certificates in development
- Testing TLS configuration
- Internal networks with trusted certificates
Certificate Encryption
Dockhand encrypts sensitive TLS data before storing in database:- TLS Private Key (
tlsKey) - Always encrypted - TLS Certificate (
tlsCert) - Stored as plain text (public data) - CA Certificate (
tlsCa) - Stored as plain text (public data)
encryption.ts:362-363 and 505-506:
Testing TLS Connection
Test TLS connection from command line:- Add environment with TLS configuration
- Click Test Connection
- Check for success or error messages
Troubleshooting
Certificate Verification Failed
Error:unable to verify the first certificate
Solutions:
- Ensure CA certificate matches server certificate’s CA
- Verify certificate chain is complete
- Check certificate hasn’t expired:
openssl x509 -in cert.pem -noout -dates
Invalid Certificate
Error:certificate is valid for X, not Y
Solution:
- Regenerate server certificate with correct hostname/IP in SANs
- Add
DNS:hostnameandIP:x.x.x.xto certificate’s Subject Alternative Names
Connection Refused
Error:connect ECONNREFUSED
Solutions:
- Check Docker daemon is listening on TCP:
netstat -tlnp | grep 2376 - Verify firewall allows port 2376
- Test with telnet:
telnet docker-host 2376
Wrong Protocol
Error:write EPROTO
Solutions:
- Ensure protocol is set to
https(nothttp) - Check Docker daemon has TLS enabled
- Verify port 2376 (TLS) not 2375 (unencrypted)
PEM Format Error
Error:error:0909006C:PEM routines
Solutions:
- Verify PEM files have correct headers/footers:
- Check no extra whitespace or newlines
- Ensure proper Base64 encoding
utils/pem.ts:3):
Best Practices
Strong Keys
Use 4096-bit RSA keys for better security.
Certificate Expiry
Set expiry dates and rotate certificates before expiration.
Verify Enabled
Always enable verification in production (don’t skip verify).
Firewall Rules
Restrict port 2376 to trusted IPs only.
Security Considerations
Protect Private Keys
- Never commit private keys to Git
- Use
.gitignorefor*.pem,*.keyfiles - Restrict file permissions:
chmod 400 key.pem - Rotate keys periodically
Network Security
- Use firewall to limit access to port 2376
- Consider VPN for Docker access over internet
- Use Docker contexts for multiple environments
Dockhand Storage
- Private keys are encrypted in database
- Back up
ENCRYPTION_KEYsecurely - Use PostgreSQL with SSL for database connection
- Enable authentication in Dockhand (LDAP/OIDC)
