Docker Image Certificate Authority

integration
ucs-4-2

#1

What are the steps to include the UCS CA within a docker image?


#2

Hello @texas-aggie,

may I ask what is your purpose? Are asking to include one, because you are using an app? Or are you interested in running an own docker image on UCS?

Best regards,
Nico


#3

@guiden Specifically, I’m troubleshooting a docker image where the UCS CA isn’t being used causing the authentication mechanism to fail. My efforts to identify the problem has lead up to this question. Refer to my most recent posts if you’re curious about which image. If I’m correct that this is the problem, then I may get the developer’s attention to correct their build. The possibility of rolling an app in docker is certainly interesting for the future.


#4

Hello @texas-aggie,

there are basically two ways to include the UCS CA certificate within the docker container:

  1. Use a docker volume and mount the certificate store from the UCS host into the docker container. This setting has to be done be the app itself. For example the file /etc/ssl/certs/ca-certificates.crtand the directory /etc/univention/ssl/ucsCA/ could be used in the container this way. For a durable solution the app provider should check this way for a solution.
  2. For a running container you could copy the certificate inside the container. On the UCS host you could execute:
cat /etc/univention/ssl/ucsCA/CAcert.pem | \
docker exec -i "$(ucr get appcenter/apps/<<<the app id>>>/container)" \
bash -c 'cat >> <<<directory for the ca bundle file>>>/ca-bundle.crt'

What you need could be different but similar. But it should give you an idea how to get the certificate inside the container. I hope this helps.

Best regards,
Nico


#5

At least we can verify if that’s the issue with the non-persistent option. Then I can make the developer aware of the issue.

Thank you.