If the Custom Certificate option is chosen please map a path to the public keys into each container's ca-certificates or equivalent
ChristopherMag last edited by nebulon
The Custom Certificate's documentation mentions that
Intermediate Certs - You can upload a certificate chain by simply appending all the intermediate certs in the same cert file.
In my scenario I use a wild card certificate that was issued using our own root ca.
Appending its public key to the certificate chain works fine to allow me to use the wild card certificate in cloudron but there isn't a process in place to expose the public key of the custom root ca to each of the containers.
It would be really helpful if all the public keys contained in whatever custom certificate file is uploaded using the Custom Certificate feature were automatically added/linked/exposed in the right spot in each container so that those containers would automatically trust the wild card cert and anything else from the root ca that issued it.
Something like adding the following to the docker file:
ADD your_ca_root.crt /usr/local/share/ca-certificates/foo.crt RUN chmod 644 /usr/local/share/ca-certificates/foo.crt && update-ca-certificates
Currently I have to be aware of this whenever adding new apps as I may hit broken functionality and ambigous errors that in the end track back to this issue and require their own app specific work around.
Here are some examples:
cloudron env set --app redash.cloudron.domain.com REDASH_ENFORCE_PRIVATE_IP_BLOCK=false
- Add a file named
cloudronwildcard.pemthat contains the public key for the wildcard certificate to the
cloudron env set --app redash.cloudron.domain.com REQUESTS_CA_BUNDLE=/app/data/cloudronwildcard.pem
cloudron env set --app n8n.cloudron.domain.com NODE_TLS_REJECT_UNAUTHORIZED=0
For these examples I believe if each of these containers was configured to trust all the public keys that were loaded when the custom certificate file was uploaded then N8N and Onlyoffice would work without anything extra, Redash may still require
REDASH_ENFORCE_PRIVATE_IP_BLOCK=falsebut the other steps wouldn't be needed.