0

My company is using self-signed TLS certificates for internal IT systems. In order to connect to said systems from Linux servers (Ubuntu 20.04 LTS), e.g., by means of curl, we have to put the CA certificate mycompany.crt in /usr/local/share/ca-certificates and do a sudo update-ca-certificates. Then everything works fine on the servers.

Now, when I run a container by executing podman run -it ubuntu:20.04 and do a

curl https://myinternalserver.mycompany/api/foo

I get an error

curl: (60) SSL certificate problem: unable to get local issuer certificate

Please note that curl was only an example. In our production case there are .NET applications and other programs inside the container that fail with similar errors due to missing CA certificates.

What's the easiest way to make our internal CA certificates from the host OS (in /usr/local/share/ca-certificates) known to the container?

Should I mount /usr/local/share/ca-certificates into the container and execute update-ca-certificates in my ENTRYPOINT/ CMD?

Or should I even bake the CA certificates into my container images? But then I would have to build custom images for each and every third-party container only for the purpose of the CA certificates.

Joerg
  • 543
  • 1
  • 5
  • 20

1 Answers1

0

The only viable way to work with containers and certificates is volumes. Baking certificates into images is a nightmare. Thankfully, this question has been quiet thoroughly answered here.Hopefully this helps

Brad Rehman
  • 71
  • 4
  • Thank you for your answer and the link. I agree that baking certificates into images is not the way to go. However, I still wonder how the proposed solution plays nicely with the `CMD` or `ENTRYPOINT` defined in the Containerfile. I commented on the answer you linked. Maybe you could add a few sentences there, too? That would be great. – Joerg Jan 26 '22 at 08:26