How to install CA certificate on nextcloud docker?

Hello all,

we using here UCS 4.4.x with Nextcloud 17. So we have here an active deepinspection from Fortinet. This is working with the ucs server normaly. But PHP from Nextcloud did not see the CA. So where i musst install the ca-certificate in docker/Nextloud/PHP that i will not be overwriten on updates?

Thanks a lot :slight_smile:

Hi @boospy,

the easiest is to modify the app in general to simply mount /etc/ssl from the host into the container. With this all certificates that are trusted on the host are also automatically trusted in the container. This is also how I have implemented it for the Kopano Meet app.

This is though something that the app maintainer would need to change.

For a quick test you could set the ucr variable appcenter/apps/nextcloud/docker/params (will not exist by default) to -v /etc/ssl:/etc/ssl (untested). This will extend the docker command used to create the container.

Hello :slight_smile:

and thanks for you answer. I have done that, first directly with docker, after with an bindmount. But the docker did not see the certificates. What can I do besides manually editing the container?

supplement: Not even if I save my certificates in the container under “/usr /local/share/ca-certificates/” and execute “update-ca-certificates” it do no work. Why not?

root@nextc-13430874:/usr/local/share/ca-certificates# update-ca-certificates  
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...

Was the mount actually applied to the container? What did mount show when running inside of it?

Since the command said it added a certificate it seems it was imported successfully, connections should now be trusted. Not quite sure if the app in question maybe gets ssl certificates from another location?

I had the wrong certificate, now it works :innocent:

So it is not enough to include the directory or to copy the certificate into it. You have to execute the command to update the certificates.

Ist it possible to set this for this docker container? Because in in this case, i must re add the cert on updates, or maybe on reboots too.

Like I said: the best would be to simply mount /etc/ssl from the host.

1 Like

Ok, it is really to hard to do this in docker. Because reboots and id modifications on update. I do this with dnsfilter from the firewall, that must be enough.