#### 1.环境准备
```bash
# 查看Docker服务器主机名
hostnamectl
```
![1582697962553](C:Users86176AppDataRoamingTypora ypora-user-images1582697962553.png)
这里记住我的主机名s130就好
```bash
# 静态主机名修改
vi /etc/hostname
# 临时主机名修改(重启失效)
hostname s130
```
#### 2.创建TLS证书
创建create_crets.sh文件并执行,生成的证书在/certs/docker目录下,
```bash
# create_crets.sh,将【证书生成脚本】内容复制进去
touch create_crets.sh
chmod 755 create_crets.sh
```
```bash
# 证书生成脚本
#!/bin/bash
set -e
if [ -z $1 ];then
echo "请输入Docker服务器主机名"
exit 0
fi
HOST=$1
mkdir -p /certs/docker
cd /certs/docker
openssl genrsa -aes256 -out ca-key.pem 4096
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
openssl genrsa -out server-key.pem 4096
openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr
# 配置白名单,推荐配置0.0.0.0,允许所有IP连接但只有证书才可以连接成功
echo subjectAltName = DNS:$HOST,IP:0.0.0.0 > extfile.cnf
openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf
openssl genrsa -out key.pem 4096
openssl req -subj '/CN=client' -new -key key.pem -out client.csr
echo extendedKeyUsage = clientAuth > extfile.cnf
openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf
rm -v client.csr server.csr
chmod -v 0400 ca-key.pem key.pem server-key.pem
chmod -v 0444 ca.pem server-cert.pem cert.pem
```
执行脚本生成证书,按照提示输入
```bash
# 传递的参数s130为服务器的主机名,不能是IP
sh create_crets.sh s130
```
![1582698303431](C:Users86176AppDataRoamingTypora ypora-user-images1582698319870.png)
所有密码输入同一个就好,要注意输入Docker服务器主机名s130
#### 3.配置Docker开启TLS认证
```
vi /usr/lib/systemd/system/docker.service
```
```bash
# 在ExecStart属性后追加
--tlsverify --tlscacert=/certs/docker/ca.pem --tlscert=/certs/docker/server-cert.pem --tlskey=/certs/docker/server-key.pem
-H tcp://0.0.0.0:2376 -H unix://var/run/docker.sock
```
![](C:Users86176AppDataRoamingTypora ypora-user-images1582698635304.png)
```bash
# 重新加载docker配置后重启
systemctl daemon-reload
systemctl restart docker
```
```bash
# 查看2376端口是否启动
netstat -tunlp
```
![1582684501742](C:Users86176AppDataRoamingTypora ypora-user-images1582684501742.png)
#### 3.Docker Remote API本机连接测试
```bash
# 没有指定证书时,报错含义是签发证书机构未经认证,无法识别
curl https://s130:2376/info
```
![1582689841980](C:Users86176AppDataRoamingTypora ypora-user-images1582689841980.png)
```bash
# 指定证书访问ok
curl https://s130:2376/info --cert /certs/docker/cert.pem --key /certs/docker/key.pem --cacert /certs/docker/ca.pem
```
![1582688783305](C:Users86176AppDataRoamingTypora ypora-user-images1582688783305.png)
#### 4.IDEA连接配置和测试
从Docker服务器生成的客户端所需的3个密钥下载到我们本地机器上去
![1582699253832](C:Users86176AppDataRoamingTypora ypora-user-images1582699253832.png)
配置本地机器的域名解析映射(推荐SwitchHosts工具)
![1582699718289](C:Users86176AppDataRoamingTypora ypora-user-images1582699718289.png)
打开IDEA配置Docker Remote API的URL和密钥存放的路径
![1582699603750](C:Users86176AppDataRoamingTypora ypora-user-images1582699603750.png)
maven配置修改
![1582703336369](C:Users86176AppDataRoamingTypora ypora-user-images1582703336369.png)