What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

How can I create private key and certificate for the Docker sensor?

Votes:

0

When I want to add a Docker sensor to PRTG, PRTG asks me to provide a private key and a certificate to access my Docker instance. Where can I get these Docker credentials? How do I create a Docker certificate and private key?

certificate credentials docker private-key prtg sensor

Created on Nov 30, 2015 1:42:54 PM by  Gerald Schoch [Paessler Support]

Last change on Jun 14, 2022 7:33:49 AM by  Brandy Greger [Paessler Support]



17 Replies

Accepted Answer

Votes:

0

This article applies as of PRTG 22

Generating Docker certificate and private key for PRTG

If you add the Docker Container Status sensor, you need to provide a Private Key and a Certificate to request monitoring data from Docker. This approach ensures a secure connection from PRTG to Docker, authenticated by a certificate signed by a trusted certificate authority (CA).

So before you add the sensor, create a certificate and keys with OpenSSL. See How can I use a trusted SSL certificate with the PRTG web interface? for how to install OpenSSL. Of course, if you already have Docker certificates available, you can use one of these.

Find detailed instructions on how to create Docker certificates and keys in the Docker documentation: Protect the Docker daemon socket.

Steps to take

In general, you need to follow these steps:

  1. Generate the CA private and public keys using OpenSSL.
  2. Create the server key and certificate signing request (CSR).
    • Ensure that the Common Name matches the hostname used to connect to Docker.
  3. Sign the public key with the CA.
  4. Configure the Docker daemon to accept connections from clients that provide a trusted certificate from your CA, for example: $ dockerd -H tcp://0.0.0.0:2376 -H fd:// --tlsverify=true --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem $other_args
    • -H tcp:0.0.0.0:2376 makes the Docker API available for all external IP addresses on port 2376. This is the port number that you must provide in section Docker Credentials of the sensor settings.
    • -H fd:// makes the API locally available to get the Docker commands to work on the console.
    • --tlsverify=true defines that the access is SSL encrypted and that any connecting client must authenticate.
    • The certificates and keys (ending with .pem) are used for the authentication of the sensor.

For more details like the exact commands and what you have to additionally consider, see the Docker documentation.

Note: In older Docker versions, the string to accept connections was: $ docker daemon -H tcp://0.0.0.0:2376 -H fd:// --tlsverify=true --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem

Note: If you have any issues when creating certificates and keys for Docker, contact Docker support.

Add the sensor in PRTG

Now you have everything ready to monitor your Docker containers:

  1. In the Add Sensor dialog, enter the number of the Port you made available for API calls, usually port 2376.
  2. Open the file with the private key that you created before (for example, key.pem) with a text editor. Copy everything that this file contains and paste it into the Private Key field in the sensor settings.
  3. Open the server certificate file (for example, cert.pem) with a text editor. Copy everything that this file contains and paste it into the Certificate field in the sensor settings.

Complete the Add Sensor dialog and PRTG starts to monitor the status of your desired Docker containers.

Created on Dec 2, 2015 6:14:27 PM by  Gerald Schoch [Paessler Support]

Last change on Jan 4, 2023 2:15:28 PM by  Brandy Greger [Paessler Support]



Votes:

0

With the newer Docker versions ("dockerd" instead of "docker daemon") the string have to look like:

dockerd -H unix:///var/run/docker.sock -H tcp://0.0.0.0:2376 --tlsverify=true --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem $other_args

Successfully tested with Docker 17.12 on CentOS 7 and PRTG 18.1.36.3728+. Configured in /etc/systemd/system/docker.service.d/source-sysconfig.conf

Created on Feb 1, 2018 8:45:45 AM



Votes:

0

Thank you for the update, Mark! We added it to the article.

Created on Feb 1, 2018 6:03:03 PM by  Gerald Schoch [Paessler Support]



Votes:

0

Hello,

Forgive the perhaps dumb question, but can I also use a self-signed certificate? My docker-host is inside a private network without any connection to the big bad internet and therefore doesn't need a publicly recognized certificate...

Thanks, Jaap.

Created on Jun 20, 2018 7:01:34 AM



Votes:

0

Hi there,

As long as the CA that issues the certificate is trusted from the server where PRTG runs on, then you shouldn't run into any issues. Just make sure that the certificate and the root certificate from the CA are in the SYSTEM-Store of the PRTG Server.

Best regards.

Created on Jun 20, 2018 7:51:30 AM by  Dariusz Gorka [Paessler Support]



Votes:

0

Are there any plans to make docker monitoring easier to monitor?

Created on Sep 14, 2018 10:59:33 AM



Votes:

0

Hi there,

Currently there are no plans to develop this sensor further and to offer more options, the main reason is that the usage-rate of this sensor is rather low.

Best regards.

Created on Sep 14, 2018 1:48:18 PM by  Dariusz Gorka [Paessler Support]



Votes:

1

Hi, Is it possible to monitor a docker node running in swarm mode? If its possible to monitor just one or all of the node separately, how can I apply the tls certificates to the swarm?

Thanks, Iroj

Created on Feb 14, 2019 3:19:15 AM



Votes:

0

Dear Paessler Please reconsider the above statement from the 14'th of september 2018. Docker and docker-compose is spreading like wildfire, it would be great to have a more smooth monitoring of dockers running. It would also be very nice to have a much better explained article than this, sorry, but it's very confusing especially when you don't remember openssl commands by heart. I still haven't gotten this to work, the docker daemon will not accept my config file, allthough it will start with the commandline, and next step with getting the selfsigned certifiate accepted is still not working. I can apparently not use a properly signed public certificate for this, or am I misunderstanding something?

Created on May 27, 2020 2:31:04 PM



Votes:

0

Dear Kenneth Fribert,

thank you for your feedback. Docker gets more and more use, but as of now other features are in even higher demand for PRTG and thus prioritized. A self-signed certificate can only be used if the CA is considered trusted.

Created on May 27, 2020 9:03:56 PM by  Arne Seifert [Paessler Support]



Votes:

0

OK. I spent a couple of hours now trying to get the sensor to work.

Isn't there a detailed documentation out there? Something like a step by step? Thanks for your help.

Created on Jul 3, 2020 8:59:45 AM



Votes:

0

Hello Stefan,

Unfortunately, there are no additional guides for this.

Created on Jul 3, 2020 9:25:50 AM by  Sasa Ignjatovic [Paessler Support]



Votes:

0

prtg I think they should reconsider container monitoring. Its use increases day by day and the clients with whom we work ask us to do the monitoring with prtg

Created on Sep 10, 2020 2:13:27 PM



Votes:

0

Paessler support,

Are there any updates on this request? Do you have an ETA on when this issue will be addressed?

Best regards Matt B

Created on May 11, 2021 2:08:03 PM



Votes:

0

Hello,

We have Container Monitoring on our Roadmap. Please check out the survey for Container Monitoring, as it helps us with these requirements you all have.

Benjamin Day
[Paessler Support]

Created on May 12, 2021 4:12:17 AM by  Benjamin Day [Paessler Support] (1,441) 2 1



Votes:

0

Just found this article from cybus.io which gave me the needed info to get the sensor working.

https://www.cybus.io/learn/docker-container-monitoring-using-prtg/

Created on Sep 30, 2022 6:54:42 AM



Votes:

0

Edit - @Stefan Müller tried again and it all worked! this is great!!

Created on Jun 8, 2023 10:39:33 AM

Last change on Jun 8, 2023 10:39:33 AM




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.