查看主机名: [info]vi /etc/hostname[/info]   生成目录和脚本:   [info] mkdir -p /opt/sh /opt/cert/docker touch /opt/sh/createcert.sh vim /opt/sh/createcert.sh [/info]     在createcret.sh添加内容: [warning]#!/bin/bash set -e if [ -z $1 ];then echo "请输入Docker服务器主机名" exit 0 fi HOST=$1 mkdir -p /opt/cert/docker cd /opt/cert/docker openssl genrsa -aes256 -out ca-key.pem 4096 openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem openssl genrsa -out server-key.pem 4096 openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr # 配置白名单,推荐配置0.0.0.0,允许所有IP连接但只有证书才可以连接成功 echo subjectAltName = DNS:$HOST,IP:0.0.0.0 > extfile.cnf openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf openssl genrsa -out key.pem 4096 openssl req -subj '/CN=client' -new -key key.pem -out client.csr echo extendedKeyUsage = clientAuth > extfile.cnf openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf rm -v client.csr server.csr chmod -v 0400 ca-key.pem key.pem server-key.pem chmod -v 0444 ca.pem server-cert.pem cert.pem[/warning]   执行生成认证: [info]sh /opt/sh/createcert.sh 主机名[/info] [info]vim /usr/lib/systemd/system/docker.service[/info]   在ExecStart属性后追加: [warning]--tlsverify --tlscacert=/opt/cert/docker/ca.pem \ --tlscert=/opt/cert/docker/server-cert.pem \ --tlskey=/opt/cert/docker/server-key.pem \ -H tcp://0.0.0.0:2376 -H unix://var/run/docker.sock[/warning]   重新加载docker配置后重启: [info] systemctl daemon-reload systemctl restart docker [/info]     查看2376端口是否启动: [info]netstat -nltp | grep 2376[/info]   测试认证: [info] curl https://a.youlai.store:2376/info curl https://主机名:2376/info --cert /opt/cert/docker/cert.pem --key /opt/cert/docker/key.pem --cacert /opt/cert/docker/ca.pem [/info]   ———————————————— 原文链接:https://blog.csdn.net/u013737132/article/details/111090922