发表新帖
发表新帖

How do I add a CA root certificate inside a docker image?

前端 未结
关注
4 849
爱一瞬间的悲伤
爱一瞬间的悲伤 2020-11-29 03:58

I am running an ASP.NET Core 1.1 Web API in a Docker 1.13.1 container on Ubuntu 14.04.

When the code attempts to retrieve some data from an HTTPS server, I get this

相关标签:
4条回答
  • 感动是毒
    2020-11-29 04:31

    It's also worth noting that this definitely needs to use the .crt extension. I initially tried this with a .pem cert file (I thought they were interchangeable, so others might also), which is not linked by update-ca-certificates.

    0 讨论(0)
  • 南旧
    2020-11-29 04:35

    Installing ca-certificates locate cert_file_name.crt file in the same directory as Dockerfile.

    # Install ca-certificates
# Please locate cert_file_name.crt file in the same directory as Dockerfile.
COPY cert_file_name.crt /usr/share/ca-certificates/
RUN echo cert_file_name.crt >> /etc/ca-certificates.conf
RUN update-ca-certificates

    This will update certificates in the Dockerfile.

    0 讨论(0)
  • 不知归路
    2020-11-29 04:41

    The task itself is not specific to docker as you would need to add that CA on a normal system too. There is an answer on the askubuntu community on how to do this.

    So in a Dockerfile you would do the following (don't forget chmod in case you're running the container with a user other than root):

    ADD your_ca_root.crt /usr/local/share/ca-certificates/foo.crt
RUN chmod 644 /usr/local/share/ca-certificates/foo.crt && update-ca-certificates
    0 讨论(0)
  • 灰色年华
    2020-11-29 04:46

    To simplify/standardise all container builds, we now host our certificates on a central HTTPS server and build them into our containers like this:

    # Debian stretch based container
RUN curl -ks 'https://cert.host.server/ssl_certs/EnterpriseRootCA.crt' -o '/usr/local/share/ca-certificates/EnterpriseRootCA.crt'
RUN /usr/sbin/update-ca-certificates

    Alpine-based containers don't have the tools immediately available so require a bit more work to achieve the same:

    # Alpine based containers
RUN apk update && apk add curl
WORKDIR /usr/local/share/ca-certificates
RUN curl -ks 'https://cert.host.server/ssl_certs/EnterpriseRootCA.crt' -o '/usr/local/share/ca-certificates/EnterpriseRootCA.crt'
RUN /usr/sbin/update-ca-certificates

    If you also want to update your Java truststore (same as on any computer):

    RUN keytool -keystore /usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias EnterpriseRootCA -file EnterpriseRootCA.crt
    0 讨论(0)
 看不清?
提交回复
热议问题