workspaces-issues icon indicating copy to clipboard operation
workspaces-issues copied to clipboard

Published 20 hours ago verified publisher icon kasmtech

How do we add additional trusted CA certificates to Docker?

Open Taomyn opened this issue 8 months ago • 4 comments

Describe the bug I have Kasm set up successfully and even have it using certificates generated by my local CA, However, I'm finding that from within Kasm it's unable to connect to other services using certificates from the same CA. For example, a Brave workspace could not connect to my Zabbix box because it did not trust the certificate until I added the CA to Brave. Unfortunately this isn't always possible and is quite inconvenient to need to do this to each workspace every time especially as an update will revert changes. It's also causing problems trying to use a Nextcloud as a storage server, as it too gets rejected because its certificate is not trusted in Docker.

To Reproduce Steps to reproduce the behavior:

  1. Connect to any SSL service using an untrusted CA signed certificate

Expected behavior Connections should be trusted

Screenshots In Terminal workspace:

`default:~$ curl -v https://nextcloud.mydomain.com

  • Trying 192.168.1.70:443...
  • TCP_NODELAY set
  • Connected to nextcloud.mydomain.com (192.168.1.70) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
  • TLSv1.3 (IN), TLS handshake, Certificate (11):
  • TLSv1.3 (OUT), TLS alert, unknown CA (560):
  • SSL certificate problem: self signed certificate in certificate chain
  • Closing connection 0 curl: (60) SSL certificate problem: self signed certificate in certificate chain More details here: https://curl.haxx.se/docs/sslcerts.html `

On the server itself after copying CA cert then using update-ca-certificates:

`root@KODOS:~# curl -v https://nextcloud.mydomain.com

  • Trying 192.168.1.70:443...
  • Connected to nextcloud.mydomain.com (192.168.1.70) port 443 (#0)
  • ALPN: offers h2,http/1.1
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • CAfile: /etc/ssl/certs/ca-certificates.crt
  • CApath: /etc/ssl/certs
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
  • TLSv1.3 (IN), TLS handshake, Certificate (11):
  • TLSv1.3 (IN), TLS handshake, CERT verify (15):
  • TLSv1.3 (IN), TLS handshake, Finished (20):
  • TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.3 (OUT), TLS handshake, Finished (20):
  • SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
  • ALPN: server accepted http/1.1
  • Server certificate:
  • subject: CN=nextcloud.mydomain.com
  • start date: May 24 10:44:17 2024 GMT
  • expire date: May 24 10:44:17 2026 GMT
  • subjectAltName: host "nextcloud.mydomain.com" matched cert's "nextcloud.mydomain.com"
  • issuer: DC=com; DC=mydomain; CN=mydomain-SELMA-CA
  • SSL certificate verify ok.
  • using HTTP/1.1

GET / HTTP/1.1 Host: nextcloud.mydomain.com User-Agent: curl/7.88.1 Accept: / `

Workspaces Version 1.15

Workspaces Installation Method Single Server

Taomyn avatar Jun 19 '24 12:06 Taomyn