I'm following the docker book to configure Docker Engine API with SSL, here's the whole process:
# CAecho 01 | sudo tee ca.srlsudo openssl genrsa -des3 -out ca-key.pemsudo openssl req -new -x509 -days 365 -key ca-key.pem -out ca.pem -subj "/CN=localhost"# Server keysudo openssl genrsa -des3 -out server-key.pemsudo openssl req -new -key server-key.pem -out server.csr -subj "/CN=localhost"# Server certecho subjectAltName = IP:x.x.x.x,IP:127.0.0.1 > extfile.cnfsudo openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem -out server-cert.pem -extfile extfile.cnfsudo openssl rsa -in server-key.pem -out server-key.pemudo chmod 0600 /etc/docker/server-key.pem /etc/docker/server-cert.pem /etc/docker/ca-key.pem /etc/docker/ca.pem# Client keysudo openssl genrsa -des3 -out client-key.pemsudo openssl req -new -key client-key.pem -out client.csr -subj "/CN=localhost"# Client certecho extendedKeyUsage = clientAuth > extfile.cnfsudo openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem -out client-cert.pem -extfile extfile.cnfsudo openssl rsa -in client-key.pem -out client-key.pem# Running docker enginedockerd --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem -H=0.0.0.0:2376# Clientdocker -H localhost:2376 --tlsverify --tlscacert=ca.pem --tlscert=client-cert.pem --tlskey=client-key.pem info# OutputClient: Context: default Debug Mode: false Plugins: buildx: Docker Buildx (Docker Inc., v0.7.1-docker)Server:ERROR: error during connect: Get "https://localhost:2376/v1.24/info": x509: certificate is not valid for any names, but wanted to match localhosterrors pretty printing infoAnd the cert definitely looks correct from OpenSSL
$ openssl x509 -noout -subject -in client-cert.pemsubject=CN = localhostI tried both using localhost as well as using a VPS with a domain name, both no luck.