From 51cbb190e91cc6a8db83c2f2c3eb26492936f6e1 Mon Sep 17 00:00:00 2001
From: Grische <2787581+grische@users.noreply.github.com>
Date: Fri, 4 Apr 2025 11:26:18 +0200
Subject: [PATCH] Created Custom CA (markdown)

---
 Custom-CA.md | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)
 create mode 100644 Custom-CA.md

diff --git a/Custom-CA.md b/Custom-CA.md
new file mode 100644
index 0000000..8fedfd6
--- /dev/null
+++ b/Custom-CA.md
@@ -0,0 +1,53 @@
+When using TLS with a custom CA, there are a few variables that need to be set up.
+
+Make sure that on the docker host has the self-signed trusted CA certificate in the OS cert bundle (e.g. in Ubuntu / Debian `/etc/ssl/certs/ca-certificates.crt` or in RHEL `/etc/ssl/certs/ca-bundle.crt`). 
+
+## For GIT datasources
+
+For HTTPS repos, the Python `requests` package is used, which does not use the `SSL_CERT_FILE` environment variable. By default, `requests` is shipped with a dedicated (OS independent) trusted CA bundle. It relies on `certifi` as CA bundle source.
+In order to override this, override the env variable `REQUESTS_CA_BUNDLE`.
+
+Adjust the `/path/to/os/cert/file` and update the `docker-compose.override.yml` as follows:
+
+```yaml
+---
+services:
+  netbox:
+    environment:
+        REQUESTS_CA_BUNDLE: /etc/ssl/certs/ca-certificates.crt
+    volumes:
+    volumes:
+      - /path/to/os/cert/file:/etc/ssl/certs/ca-certificates.crt:ro
+  netbox-worker:
+    environment:
+        REQUESTS_CA_BUNDLE: /etc/ssl/certs/ca-certificates.crt
+    volumes:
+    volumes:
+      - /path/to/os/cert/file:/etc/ssl/certs/ca-certificates.crt:ro
+```
+
+This overrides the trusted CA certificates within the containers, with the trusted CA certificates of your Linux Docker host (which includes your private CA certificates as well).
+
+
+## For LDAPS
+
+Netbox [[LDAP]] uses django-ldap-auth which in turn uses the python-ldap package.
+This package currently does not support cert bundles with [EV data](https://en.wikipedia.org/wiki/Extended_Validation_Certificate) which are often delivered by modern OS (e.g. in RHEL `/etc/ssl/certs/ca-bundle.trust.crt`)
+
+Make sure to use the cert bundle without the EV data (e.g. in RHEL `/etc/ssl/certs/ca-bundle.crt`)
+
+
+Adjust the `/path/to/os/cert/file` and update the `docker-compose.override.yml` as follows:
+
+```yaml
+---
+services:
+  netbox:
+    environment:
+      LDAP_IGNORE_CERT_ERRORS: False
+      LDAP_CA_CERT_FILE: /etc/ssl/certs/ca-certificates.crt
+    volumes:
+      - /path/to/os/cert/file:/etc/ssl/certs/ca-certificates.crt:ro
+```
+
+This overrides the trusted CA certificates within the containers, with the trusted CA certificates of your Linux Docker host (which includes your private CA certificates as well).