Renewing an Overdue Docker Cert in QNAP
Writing this down before I forget, somewhere where I won’t think to look for it the next time I need it.
So you’re running Container Station (i.e., Docker) on a QNAP NAS, and naturally you’ve created a cert for it, because why wouldn’t you?, except that it expired a few days ago and you forgot to renew it, because apparently you didn’t have calendar technology when you originally created the cert, and now Container Station won’t renew the cert because it’s expired, and it won’t tell you that: it just passively-aggressively lets you click the Renew Certificate button, but nothing changes and the Docker port continues using the old, expired cert. What to do?
- Stop Container Station
- Log in to the NAS and delete
/etc/docker/tls(or just rename it). - Restart Container Station. Open it, and note the dialog box saying that the cert needs to be renewed.
- Under Preferences → Docker Certificate, download the new certificate.
- Restart Container Station to make it pick up the new cert.
- Unzip the cert in your local Docker certificate directory: either
~/.dockeror whatever you’ve set$DOCKER_CERT_PATHto. - Check that you have the right cert: the
cert.pemthat you just unzipped should be from the same keypair that’s being served by the Docker server:openssl x509 -noout -modulus -in cert.pem | openssl md5
andopenssl s_client -connect $DOCKER_HOST:$DOCKER_PORT | openssl x509 -noout -modulus | openssl md5
should return the same string. - Check the expiration date on the new cert. Subtract 7 days, open a calendar at that date and write down “Renew Docker certificate” this time.