Skip to main content

CA certificates

The OCI container we provide is based on Alpine linux. The trusted CA certificates comes from the ca-certificates package, which uses Mozilla's CA Certificate Program.

DES will, depending on configuration, need to communicate with various internal services on your side, like:

  • Fetch JWKS from an internal endpoint
  • Send webhooks to an internal endpoint
  • Connect to and use internal S3 compatible storage services
  • Connect to an TLS-protected SMTP server for sending emails for managing access to DEPo

However, in a self-hosted environment it's not uncommon that such internal services communicate using TLS certificates issued by self-signed root certificates. Obviously such TLS certificates will not automatically be trusted by our image.

If this is the case for you, you generally have to options:

  1. Switch from using TLS certificates issued by your self-signed root certificate(s) to TLS certificates issued by CAs trusted by Alpine/Mozilla
  2. Modify the image we provide to trust your self-signed root certificates

If option 2 above is the only viable option in your case you can build your own modified version of our image.

There are several ways to solve this, and while this is your own responsibility to solve for, here's one way that might work for you/serve as an inspiration:

Create a Dockerfile containing the following:

FROM quay.io/dreamstech/des:latest # Though you probably want to pin this to a specific version tag
COPY ./you-own-ca.crt /usr/local/share/ca-certificates/you-own-ca.crt
USER root # You'll need to temporarily be root to run "update-ca-certificates"
RUN update-ca-certificates
USER alpine # Switch back to the non-root user

Then build your own image using the above Dockerfile, tag it according to your internal naming convention and persist it in your private Container Registry of choice.