Missing documentation for "HostCertificateAccess"


#1

Hello,
how is host certificate access gained if HostCertificateAccess is set to true?
More specifically: Can I access a pkcs12 file?
Is the keyfile password protected?
Does the app get notified if the certificate is updated / resigned?
Regards,
Boris


#2

Hello @bheithecker,

can you please provide some more context on what you intend to do and what you’d expect?

Best regards,
Nico


#3

I simply need to know how to access the key and certificate files from with the container.
Found this for a start now:
https://help.univention.com/t/renewing-the-ssl-certificates/37


#4

Hi,

If an App defines HostCertificateAccess=True in its meta data, exactly one thing happens: The DockerVolumes include /etc/univention/ssl/$fqdn:/etc/univention/ssl/$fqdn:ro. So, the certificates are mapped into the container read-only. This includes:

  • cert.pem
  • openssl.cnf
  • private.key
  • req.pem

The purpose of this option is to enable Apps to answer with the certificate of the Docker Host when a connection is established. The Docker Container is “hidden” behind the actual host and only App specific ports are exposed. When a client tries to communicate with the App, it does so by connecting to the Docker Host. Therefore the App may need to identify as the host.

Currently, the App gets no notification if any file changes. We are working on an update to that Apps will be able to add hooks when the certificate changes.