Created Custom CA (markdown)

Grische 2025-04-04 11:26:18 +02:00
parent ca4adc7bfc
commit 51cbb190e9

53
Custom-CA.md Normal file

@ -0,0 +1,53 @@
When using TLS with a custom CA, there are a few variables that need to be set up.
Make sure that on the docker host has the self-signed trusted CA certificate in the OS cert bundle (e.g. in Ubuntu / Debian `/etc/ssl/certs/ca-certificates.crt` or in RHEL `/etc/ssl/certs/ca-bundle.crt`).
## For GIT datasources
For HTTPS repos, the Python `requests` package is used, which does not use the `SSL_CERT_FILE` environment variable. By default, `requests` is shipped with a dedicated (OS independent) trusted CA bundle. It relies on `certifi` as CA bundle source.
In order to override this, override the env variable `REQUESTS_CA_BUNDLE`.
Adjust the `/path/to/os/cert/file` and update the `docker-compose.override.yml` as follows:
```yaml
---
services:
netbox:
environment:
REQUESTS_CA_BUNDLE: /etc/ssl/certs/ca-certificates.crt
volumes:
volumes:
- /path/to/os/cert/file:/etc/ssl/certs/ca-certificates.crt:ro
netbox-worker:
environment:
REQUESTS_CA_BUNDLE: /etc/ssl/certs/ca-certificates.crt
volumes:
volumes:
- /path/to/os/cert/file:/etc/ssl/certs/ca-certificates.crt:ro
```
This overrides the trusted CA certificates within the containers, with the trusted CA certificates of your Linux Docker host (which includes your private CA certificates as well).
## For LDAPS
Netbox [[LDAP]] uses django-ldap-auth which in turn uses the python-ldap package.
This package currently does not support cert bundles with [EV data](https://en.wikipedia.org/wiki/Extended_Validation_Certificate) which are often delivered by modern OS (e.g. in RHEL `/etc/ssl/certs/ca-bundle.trust.crt`)
Make sure to use the cert bundle without the EV data (e.g. in RHEL `/etc/ssl/certs/ca-bundle.crt`)
Adjust the `/path/to/os/cert/file` and update the `docker-compose.override.yml` as follows:
```yaml
---
services:
netbox:
environment:
LDAP_IGNORE_CERT_ERRORS: False
LDAP_CA_CERT_FILE: /etc/ssl/certs/ca-certificates.crt
volumes:
- /path/to/os/cert/file:/etc/ssl/certs/ca-certificates.crt:ro
```
This overrides the trusted CA certificates within the containers, with the trusted CA certificates of your Linux Docker host (which includes your private CA certificates as well).