Munki with SSL using Docker

In this tutorial I will cover how to setup an Munki environment with client SSL authentication. Hosting the munki data and web server in docker and using a osx machine for populating data using Autopkgr. Most guides out there use Chef or Puppet to push client configuration but I wanted to focus on docker and have the possibility to move between solutions depending on situation and current infrastructure.


Create certificates and Docker containers.

In this lab I’m using self-signed certificates but when you plan for a production solution you should go with certificates from an Provider.

During the signing proccess you need to fill in County Code, State, City, Organization, Common Name, Department and e-mail just remember the password as it will be used in the convert process.

Create a lab catalog and clone docker-munki-ssl repo.
mkdir -p ~/munki-lab
cd ~/munki-lab
git clone
Create a Certificate Authority root
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Create the Client Key and CSR
openssl genrsa -des3 -out client.key 4096
openssl req -new -key client.key -out client.csr
Self-sign Client crt
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
Convert Client Key and crt to PEM
openssl x509 -in client.crt -out client-munki.crt.pem -outform PEM
openssl rsa -in client.key -out client-munki.key.pem -outform PEM
Create the Server Key and CRT
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt
Build the munki container
docker build -t munki-ssl .
Create a Data Container:
docker run -d --name munki-data --entrypoint /bin/echo munki-ssl Data-only container for munki-ssl
Start the munki-ssl container
docker run -d --name munki-ssl --volumes-from munki-data -p 443:443 -h munki-ssl munki-ssl

What about data in your repo?

It’s high time to fill your repo with data, in my lab I used smb share to share the munki-data container then I used Autopkgr and MunkiAdmin to fill it. It will not be covered in this guide but google will help your out.

Munki Client setup

Transfer client-munki.crt.pem and client-munki.key.pem to your client.

scp client-munki.*

The ssh to your client machine and continue the setup.

Place certs in Managed Install folder
sudo mkdir -p /Library/Managed\ Installs/certs
sudo chmod 0700 /Library/Managed\ Installs/certs
sudo cp /tmp/client-munki.crt.pem /Library/Managed\ Installs/certs/client-munki.crt.pem
sudo cp /tmp/client-munki.key.pem /Library/Managed\ Installs/certs/client-munki.key.pem
sudo chmod 0600 /Library/Managed\ Installs/certs/client-munki*
sudo chown root:wheel /Library/Managed\ Installs/certs/client-munki*
Change the ManagedInstalls.plist defaults:
sudo defaults write /Library/Preferences/ManagedInstalls SoftwareRepoURL ""
sudo defaults write /Library/Preferences/ManagedInstalls ClientCertificatePath "/Library/Managed Installs/certs/client-munki.crt.pem"
sudo defaults write /Library/Preferences/ManagedInstalls ClientKeyPath "/Library/Managed Installs/certs/client-munki.key.pem"
sudo defaults write /Library/Preferences/ManagedInstalls UseClientCertificate -bool TRUE
Test out the client:
sudo /usr/local/munki/managedsoftwareupdate -vvv --checkonly