If the Custom Certificate option is chosen please map a path to the public keys into each container's ca-certificates or equivalent

ChristopherMag

The Custom Certificate's documentation mentions that

Intermediate Certs - You can upload a certificate chain by simply appending all the intermediate certs in the same cert file.

In my scenario I use a wild card certificate that was issued using our own root ca.

Appending its public key to the certificate chain works fine to allow me to use the wild card certificate in cloudron but there isn't a process in place to expose the public key of the custom root ca to each of the containers.

It would be really helpful if all the public keys contained in whatever custom certificate file is uploaded using the Custom Certificate feature were automatically added/linked/exposed in the right spot in each container so that those containers would automatically trust the wild card cert and anything else from the root ca that issued it.

Something like adding the following to the docker file:

ADD your_ca_root.crt /usr/local/share/ca-certificates/foo.crt
RUN chmod 644 /usr/local/share/ca-certificates/foo.crt && update-ca-certificates

Source

Currently I have to be aware of this whenever adding new apps as I may hit broken functionality and ambigous errors that in the end track back to this issue and require their own app specific work around.

Here are some examples:

• Redash
  • cloudron env set --app redash.cloudron.domain.com REDASH_ENFORCE_PRIVATE_IP_BLOCK=false
  • Add a file named cloudronwildcard.pem that contains the public key for the wildcard certificate to the /app/data directory
  • cloudron env set --app redash.cloudron.domain.com REQUESTS_CA_BUNDLE=/app/data/cloudronwildcard.pem
• N8N
  • cloudron env set --app n8n.cloudron.domain.com NODE_TLS_REJECT_UNAUTHORIZED=0
• Onlyoffice
  • services.CoAuthoring.requestDefaults.rejectUnauthorized=false in /etc/onlyoffice/documentserver/defaults.json Source

For these examples I believe if each of these containers was configured to trust all the public keys that were loaded when the custom certificate file was uploaded then N8N and Onlyoffice would work without anything extra, Redash may still require REDASH_ENFORCE_PRIVATE_IP_BLOCK=false but the other steps wouldn't be needed.