Renewing an Overdue Docker Cert in QNAP

Writing this down before I forget, somewhere where I won’t think to look for it the next time I need it.

So you’re running Container Station (i.e., Docker) on a QNAP NAS, and naturally you’ve created a cert for it, because why wouldn’t you?, except that it expired a few days ago and you forgot to renew it, because apparently you didn’t have calendar technology when you originally created the cert, and now Container Station won’t renew the cert because it’s expired, and it won’t tell you that: it just passively-aggressively lets you click the Renew Certificate button, but nothing changes and the Docker port continues using the old, expired cert. What to do?

  1. Stop Container Station
  2. Log in to the NAS and delete /etc/docker/tls (or just rename it).
  3. Restart Container Station. Open it, and note the dialog box saying that the cert needs to be renewed.
  4. Under Preferences → Docker Certificate, download the new certificate.
  5. Restart Container Station to make it pick up the new cert.
  6. Unzip the cert in your local Docker certificate directory: either ~/.docker or whatever you’ve set $DOCKER_CERT_PATH to.
  7. Check that you have the right cert: the cert.pem that you just unzipped should be from the same keypair that’s being served by the Docker server:
    openssl x509 -noout -modulus -in cert.pem | openssl md5
    openssl s_client -connect $DOCKER_HOST:$DOCKER_PORT | openssl x509 -noout -modulus | openssl md5
    should return the same string.
  8. Check the expiration date on the new cert. Subtract 7 days, open a calendar at that date and write down “Renew Docker certificate” this time.