Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    If the Custom Certificate option is chosen please map a path to the public keys into each container's ca-certificates or equivalent

    Feature Requests
    1
    1
    116
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ChristopherMag
      ChristopherMag last edited by nebulon

      The Custom Certificate's documentation mentions that

      Intermediate Certs - You can upload a certificate chain by simply appending all the intermediate certs in the same cert file.

      In my scenario I use a wild card certificate that was issued using our own root ca.

      Appending its public key to the certificate chain works fine to allow me to use the wild card certificate in cloudron but there isn't a process in place to expose the public key of the custom root ca to each of the containers.

      It would be really helpful if all the public keys contained in whatever custom certificate file is uploaded using the Custom Certificate feature were automatically added/linked/exposed in the right spot in each container so that those containers would automatically trust the wild card cert and anything else from the root ca that issued it.

      Something like adding the following to the docker file:

      ADD your_ca_root.crt /usr/local/share/ca-certificates/foo.crt
      RUN chmod 644 /usr/local/share/ca-certificates/foo.crt && update-ca-certificates
      

      Source

      Currently I have to be aware of this whenever adding new apps as I may hit broken functionality and ambigous errors that in the end track back to this issue and require their own app specific work around.

      Here are some examples:

      • Redash
        • cloudron env set --app redash.cloudron.domain.com REDASH_ENFORCE_PRIVATE_IP_BLOCK=false
        • Add a file named cloudronwildcard.pem that contains the public key for the wildcard certificate to the /app/data directory
        • cloudron env set --app redash.cloudron.domain.com REQUESTS_CA_BUNDLE=/app/data/cloudronwildcard.pem
      • N8N
        • cloudron env set --app n8n.cloudron.domain.com NODE_TLS_REJECT_UNAUTHORIZED=0
      • Onlyoffice
        • services.CoAuthoring.requestDefaults.rejectUnauthorized=false in /etc/onlyoffice/documentserver/defaults.json Source

      For these examples I believe if each of these containers was configured to trust all the public keys that were loaded when the custom certificate file was uploaded then N8N and Onlyoffice would work without anything extra, Redash may still require REDASH_ENFORCE_PRIVATE_IP_BLOCK=false but the other steps wouldn't be needed.

      1 Reply Last reply Reply Quote 1
      • Moved from Support by  nebulon nebulon 
      • First post
        Last post
      Powered by NodeBB