Docker container SSL certificates
SslSsl CertificateDockerSsl Problem Overview
Is there any elegant way to add SSL certificates to images that have come from docker pull?.
I'm looking for a simple and reproducible way of adding a file into /etc/ssl/certs and run update-ca-certificates. (This should cover ubuntu and Debian images).
I'm using docker on CoreOS, and the CoreOS machine trusts the needed SSL certificates, but the docker containers obviously only have the default.
I've tried using docker run --entrypoint=/bin/bash
to then add the cert and run update-ca-certificates
, but this seems to permanently override the entry point.
I'm also wondering now, would it be more elegant to just mount /etc/ssl/certs
on the container from the host machines copy? Doing this would implicitly allow the containers to trust the same things as the host.
I'm at work with an annoying proxy that resigns everything :(. Which breaks SSL and makes containers kind-of strange to work with.
Ssl Solutions
Solution 1 - Ssl
Mount the certs onto the Docker container using -v
:
docker run -v /host/path/to/certs:/container/path/to/certs -d IMAGE_ID "update-ca-certificates"
Solution 2 - Ssl
I am trying to do something similar to this. As commented above, I think you would want to build a new image with a custom Dockerfile (using the image you pulled as a base image), ADD
your certificate, then RUN update-ca-certificates
. This way you will have a consistent state each time you start a container from this new image.
# Dockerfile
FROM some-base-image:0.1
ADD you_certificate.crt:/container/cert/path
RUN update-ca-certificates
Let's say a docker build
against that Dockerfile produced IMAGE_ID. On the next docker run -d [any other options] IMAGE_ID
, the container started by that command will have your certificate info. Simple and reproducible.
Solution 3 - Ssl
As was suggested in a comment above, if the certificate store on the host is compatible with the guest, you can just mount it directly.
On a Debian host (and container), I've successfully done:
docker run -v /etc/ssl/certs:/etc/ssl/certs:ro ...
Solution 4 - Ssl
You can use relative path to mount the volume to container:
docker run -v `pwd`/certs:/container/path/to/certs ...
Note the back tick on the pwd
which give you the present working directory. It assumes you have the certs
folder in current directory that the docker run
is executed. Kinda great for local development and keep the certs folder visible to your project.
Solution 5 - Ssl
I've written a script that wraps docker
and sets up the host's SSL certificates in the guest.
The bonus is that you don't need to rebuild any containers - it should Just Work.
It's called docker
, so you could either copy it somewhere on your $PATH
higher than docker
, or rename and put elsewhere.
Do let me know via Github if you have any issues with it!
Solution 6 - Ssl
This won't directly answer your question but this is how I solved the same issue.
I was running golang:1.16.4-buster
and nothing I tried with certificates worked. I switched to golang:1.17.8-alpine3.15
and it worked from the start without having to try to load any certificates. Plus, the bonus of a smaller distro.