Skip to content

TLS & MDM

TLS

TLS is optional for local use. When you enable it, you must:

  1. Mount your certs from the host into the container
  2. Point Fleet at the container paths

Example (host → container mapping):

docker run \
  -d \
  -v fleet-data:/data \
  -v /path/to/certs:/certs:ro \
  -e "FLEET_SERVER_TLS=true" \
  -e "FLEET_SERVER_CERT=/certs/fullchain.pem" \
  -e "FLEET_SERVER_KEY=/certs/privkey.pem" \
  -p "1337:1337" \
  --name fleet \
  cbnventures/fleet:latest

In this example:

  • Host path: /path/to/certs
  • Container path: /certs
  • FLEET_SERVER_CERT and FLEET_SERVER_KEY must use the container path

If TLS is enabled, both certificate and key must be set.

MDM server private key

This image requires a server private key (32+ bytes). It encrypts MDM data and must stay stable across restarts.

Generate one:

openssl rand -base64 32

Then pass it into the container:

-e FLEET_SERVER_PRIVATE_KEY=YOUR_KEY

Warning

Do not rotate this key unless you know how to migrate MDM secrets. Changing it can break access to existing MDM data.