what is
config show pki
I only tested with the default certificate, but letsencrypt should be handed
for all of this we run a modified systemd service, it is just a matter to add them
Please let me test it, thank again
3 Likes
[root@samba ~]# config show pki
pki=configuration
CertificateDuration=3650
ChainFile=/etc/letsencrypt/live/samba.domain.it/chain.pem
CommonName=NethServer
CountryCode=IT
CrtFile=/etc/letsencrypt/live/samba.domain.it/cert.pem
EmailAddress=it@domain.it
KeyFile=/etc/letsencrypt/live/samba.domain.it/privkey.pem
LetsEncrypt=disabled
LetsEncryptDomains=samba.domain.it
LetsEncryptMail=it@domain.it
LetsEncryptRenewDays=30
Locality=City
Organization=Domain Srl
OrganizationalUnitName=Main
State=Italy
SubjectAltName=*.domain.itok I understand my issue, innocently I believed that letsencrypt put certificate in a common path
I need the review of @giacomo and @davidep where I can find all possible certificates and how I can determine if we use letsencrypt or a custom certificate stored in pki folder
We can find an issue on portainer with letsencrypt, could you please check it: https://github.com/portainer/portainer/issues/986
for your problem, change my action
vim /etc/e-smith/events/actions/nethserver-portainer_container
then
#!/usr/bin/bash
event=$1
pid=`/usr/sbin/pidof portainer`
#default pki
crtFile=`/sbin/e-smith/config getprop pki CrtFile`
keyFile=`/sbin/e-smith/config getprop pki KeyFile`
#default certificate value
crt=${crtFile} #:-/etc/pki/tls/certs/NSRV.crt}
key=${keyFile} #:-/etc/pki/tls/private/NSRV.key}
#substitution
crt=${crt//'/etc/letsencrypt/live/samba.domain.it/'/'/certs/live/samba.domain.it/'}
key=${key//'/etc/letsencrypt/live/samba.domain.it/'/'/certs/live/samba.domain.it/'}
if [[ $pid -ne '' ]]; then
/usr/bin/docker container stop portainer-container || exit 1
/usr/bin/docker rm -f portainer-container || exit 1
fi
if [[ $event == 'portainer-upgrade' ]]; then
/usr/bin/docker image pull portainer/portainer:latest || exit 1
fi
/usr/bin/docker run -d -p 9000:9000 --restart unless-stopped --name portainer-container \
-v portainer-data:/data -v "/var/run/docker.sock:/var/run/docker.sock" \
-v /etc/letsencrypt/live/samba.domain.it/:/certs/live/samba.domain.it/:ro portainer/portainer --ssl --sslcert "${crt}" \
--sslkey "${key}" -H unix:///var/run/docker.sock || exit 1
then (you can check if portainer-container is running by docker ps
docker rm -f portainer-container
signal-event nethserver-portainer-update
if something goes bad, please do docker inspect portainer-container and check if the path to certificate is good
Letsencrypt/Uploaded/Self-signed does not matter!
This is similar to you’re recent PR for Postfix. You have to expand the certificate/key certificate/crt templates in a location reserved to Portainer.
1 Like
thank 
yes of course
2 Likes
I worry that we have to pass some parameters to the kernel to enable username spaces
it is a technology preview…
Note
The user namespaces kernel feature is fully supported (generally available) in RHEL 7.4. However, the specific implementation of user namespaces related to the docker service is identified as a technology preview while Red Hat locks down a few security issues associated with non-root user mounts.
I don’t know if we can enable it @dev_team
maybe we can start docker with a non root user, does it sounds enough for you ?
Just live on the bleeding edge 
I don’t know …
I agree with @JOduMonT that docker has some known security problems, but I’d prefer to ease the life of the user.
IMHO, just choose the option with hassle-free for the end user.
If possible, provide documentation to hardening a bit the installation.
I will do a dedicated ssl certificate for portainer, please wait a bit
Hi what line of progress
2 Likes
thank you! i have try, with various path…but dosent work. the problem is only with ssl certificate, because if launch it without ssl work perfectly.
1 Like
new version to test
yum install -y http://mirror.de-labrusse.fr/NethDev/docker/docker-ce-17.12.1.ce-1.el7.centos.x86_64.rpm http://mirror.de-labrusse.fr/NethDev/docker/nethserver-docker-0.1.3-1.ns7.sdl.noarch.rpm http://mirror.de-labrusse.fr/NethDev/docker/nethserver-portainer-0.1.3-1.ns7.noarch.rpm
we run a specific certficate by template, a certificate-update event will change it
2 Likes
Perfect! But link in application dashboard link to http:// 
1 Like
Yes next step, now if you go to network service you can choose the interface you need to run the container
By default it is green
the new version should correct it
I just installed this. Both Docker and Portainer. Install both, went to network services and enabled red network on the docker service. Browse to https://domain.com:9000 and i get connection refused. If I ssh tunnel to server, I get invalid http response. docker ps shows portainer running on port 9000. netstat -anptu | grep 9000 shows docker-proxy listening. Just let me know anymore details you need
what is the output of docker ps please
just tested again on my server, it works
what is the output of rpm -qa | grep -e 'docker' -e 'portainer'
