diff --git a/Custom-CA.md b/Custom-CA.md new file mode 100644 index 0000000..8fedfd6 --- /dev/null +++ b/Custom-CA.md @@ -0,0 +1,53 @@ +When using TLS with a custom CA, there are a few variables that need to be set up. + +Make sure that on the docker host has the self-signed trusted CA certificate in the OS cert bundle (e.g. in Ubuntu / Debian `/etc/ssl/certs/ca-certificates.crt` or in RHEL `/etc/ssl/certs/ca-bundle.crt`). + +## For GIT datasources + +For HTTPS repos, the Python `requests` package is used, which does not use the `SSL_CERT_FILE` environment variable. By default, `requests` is shipped with a dedicated (OS independent) trusted CA bundle. It relies on `certifi` as CA bundle source. +In order to override this, override the env variable `REQUESTS_CA_BUNDLE`. + +Adjust the `/path/to/os/cert/file` and update the `docker-compose.override.yml` as follows: + +```yaml +--- +services: + netbox: + environment: + REQUESTS_CA_BUNDLE: /etc/ssl/certs/ca-certificates.crt + volumes: + volumes: + - /path/to/os/cert/file:/etc/ssl/certs/ca-certificates.crt:ro + netbox-worker: + environment: + REQUESTS_CA_BUNDLE: /etc/ssl/certs/ca-certificates.crt + volumes: + volumes: + - /path/to/os/cert/file:/etc/ssl/certs/ca-certificates.crt:ro +``` + +This overrides the trusted CA certificates within the containers, with the trusted CA certificates of your Linux Docker host (which includes your private CA certificates as well). + + +## For LDAPS + +Netbox [[LDAP]] uses django-ldap-auth which in turn uses the python-ldap package. +This package currently does not support cert bundles with [EV data](https://en.wikipedia.org/wiki/Extended_Validation_Certificate) which are often delivered by modern OS (e.g. in RHEL `/etc/ssl/certs/ca-bundle.trust.crt`) + +Make sure to use the cert bundle without the EV data (e.g. in RHEL `/etc/ssl/certs/ca-bundle.crt`) + + +Adjust the `/path/to/os/cert/file` and update the `docker-compose.override.yml` as follows: + +```yaml +--- +services: + netbox: + environment: + LDAP_IGNORE_CERT_ERRORS: False + LDAP_CA_CERT_FILE: /etc/ssl/certs/ca-certificates.crt + volumes: + - /path/to/os/cert/file:/etc/ssl/certs/ca-certificates.crt:ro +``` + +This overrides the trusted CA certificates within the containers, with the trusted CA certificates of your Linux Docker host (which includes your private CA certificates as well).