-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Custom CA
When using TLS with a custom CA, there are a few variables that need to be set up.
Make sure that on the docker host has the self-signed trusted CA certificate in the OS cert bundle (e.g. in Ubuntu / Debian /etc/ssl/certs/ca-certificates.crt or in RHEL /etc/ssl/certs/ca-bundle.crt).
For HTTPS repos, the Python requests package is used, which does not use the SSL_CERT_FILE environment variable. By default, requests is shipped with a dedicated (OS independent) trusted CA bundle. It relies on certifi as CA bundle source.
In order to override this, override the env variable REQUESTS_CA_BUNDLE.
Adjust the /path/to/os/cert/file and update the docker-compose.override.yml as follows:
---
services:
netbox:
environment:
REQUESTS_CA_BUNDLE: /etc/ssl/certs/ca-certificates.crt
volumes:
- /path/to/os/cert/file:/etc/ssl/certs/ca-certificates.crt:ro
netbox-worker:
environment:
REQUESTS_CA_BUNDLE: /etc/ssl/certs/ca-certificates.crt
volumes:
- /path/to/os/cert/file:/etc/ssl/certs/ca-certificates.crt:roThis overrides the trusted CA certificates within the containers, with the trusted CA certificates of your Linux Docker host (which includes your private CA certificates as well).
Netbox LDAP uses django-ldap-auth which in turn uses the python-ldap package.
This package currently does not support cert bundles with EV data which are often delivered by modern OS (e.g. in RHEL /etc/ssl/certs/ca-bundle.trust.crt)
Make sure to use the cert bundle without the EV data (e.g. in RHEL /etc/ssl/certs/ca-bundle.crt)
Adjust the /path/to/os/cert/file and update the docker-compose.override.yml as follows:
---
services:
netbox:
environment:
LDAP_IGNORE_CERT_ERRORS: False
LDAP_CA_CERT_FILE: /etc/ssl/certs/ca-certificates.crt
volumes:
- /path/to/os/cert/file:/etc/ssl/certs/ca-certificates.crt:roThis overrides the trusted CA certificates within the containers, with the trusted CA certificates of your Linux Docker host (which includes your private CA certificates as well).