Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> Set up a corporate CA and use it for your internal certificates.

Good luck with Docker containers running any Unix software that bundles the "default" root CAs along with it.



Clients need the CA cert in their trust store, not servers. Client get it by the act of enrolling into AD or FreeIPA domain.

On the docker side (or rather on the reverse proxy that provides access to them) you are solving different problem and it does not matter whether the key/cert is provided by your internal CA or third-party one.


Just build your own docker container based on the one you want. E.g.:

  FROM kanboard/kanboard:stable
  ADD ownca.crt /usr/local/share/ca-certificates/ownca.crt
  RUN /usr/sbin/update-ca-certificates


The problem is you can't do this for every Docker image you have, particularly for a large organization. It defeats the whole point of having base images if you need "include" Dockerfiles. If Docker had a way to build from multiple base images, that might fix the issue, but I believe they removed that bug/feature a while back.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: