all-in-one
all-in-one copied to clipboard
nextcloud
Trusting custom CAs with the variable TRUSTED_CACERTS_DIR does not work
How to use GitHub
- Please use the 👍 reaction to show that you are affected by the same issue.
- Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
- Subscribe to receive notifications on status change and new comments.
Steps to reproduce
- Set the environment variable
TRUSTED_CACERTS_DIRpointing to a directory which contains one or more CA-Certificates. - Deploy AIO and start containers.
Expected behavior
The directory specified in TRUSTED_CACERTS_DIR will be mounted into the nextcloud-aio-nextcloud container under /usr/local/share/ca-certificates and command update-ca-certificates will be run. The certificate/s are now trusted by the OS.
Actual behavior
- ✔ The directory specified in
TRUSTED_CACERTS_DIRit is mounted into thenextcloud-aio-nextcloudcontainer under/usr/local/share/ca-certificates - ✔ Log output works
- ❌ Command
update-ca-certificatesfails because of insufficient rights of the user www-data. - ❌ CA-Certificates are not trusted by the OS
Log output
Output of docker logs -f nextcloud-aio-nextcloud:
nc: getaddrinfo: Try again
Waiting for database to start...
now
-------------------------------
2022-09-21 07:16:46.821452+00
(1 row)
User required to trust additional CA certificates, running 'update-ca-certificates.
Failed to open temporary file /etc/ssl/certs/bundleXXXXXX for ca bundle
Configuring Redis as session handler...
Setting php max children...
[ ... ]
Host OS
Linux debjm01 5.10.0-11-amd64 #1 SMP Debian 5.10.92-1 (2022-01-18) x86_64 GNU/Linux
Nextcloud AIO version
2.0.3
Current channel
beta
Other valuable info
@szaimen Running update-ca-ceritficates with the user www-data will not work.
In my manual tests, I did run the command as root and didn't think about which user is going to run the start.sh script.
I am thinking about moving this section ...
# Trust additional Cacerts, if the user provided $TRUSTED_CACERTS_DIR
if [ -n "$TRUSTED_CACERTS_DIR" ]; then
echo "User required to trust additional CA certificates, running 'update-ca-certificates."
update-ca-certificates
fi
... out of start.sh and put it into entrypoint.sh, as it is run in the Dockerfile before the command USER www-data.
What do you think? Is it the right way to go about it?
All proocesses inside the container run as www-data user so there is currently no simple way to make this work, I fear.
Will need to think about a solution to this but it will not block the v2.0.3 release that will come out next week. So it will get addressed earliest afterwards.
It will get addressed with https://github.com/nextcloud/all-in-one/pull/1249
This is now fixed with v2.1.0 Beta. Testing and feedback is welcome! See https://github.com/nextcloud/all-in-one#how-to-switch-the-channel
@szaimen Simon, it works!
My docker-compose.yml :
version: "3.8"
services:
nextcloud:
image: nextcloud/all-in-one:beta # Must be changed to 'nextcloud/all-in-one:latest-arm64' when used with an arm64 CPU
restart: unless-stopped
container_name: nextcloud-aio-mastercontainer # This line is not allowed to be changed
volumes:
- nextcloud_aio_mastercontainer:/mnt/docker-aio-config # This line is not allowed to be changed
- /var/run/docker.sock:/var/run/docker.sock:ro # May be changed on macOS, Windows or docker rootless. See the applicable documentation
ports:
- 8080:8080
environment: # Is needed when using any of the options below
- APACHE_PORT=11000 # Is needed when running behind a reverse proxy. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
- NEXTCLOUD_DATADIR=/mnt/servers/nextcloud/data # Allows to set the host directory for Nextcloud's datadir. See https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir
- TRUSTED_CACERTS_DIR=/mnt/servers/nextcloud/cacerts # CA certificates in this directory will be trusted by the OS of the nexcloud container (Useful e.g. for LDAPS) See See https://github.com/nextcloud/all-in-one#how-to-trust-user-defiend-certification-authorities-ca
volumes:
nextcloud_aio_mastercontainer:
name: nextcloud_aio_mastercontainer # This line is not allowed to be changed
Content of /mnt/servers/nextcloud/cacerts :
/mnt/servers/nextcloud/cacerts$ ls -lah
insgesamt 8,0K
drwxrwx--- 2 root root 0 4. Aug 10:42 .
drwxrwx--- 2 root root 4,0K 30. Sep 13:58 ..
-rw-rw---- 1 root root 2,0K 4. Aug 10:42 my-CA.crt
Log output of the nextcloud-aio-nextcloud container :
~$ docker logs -f nextcloud-aio-nextcloud
nc: getaddrinfo: Try again
Waiting for database to start...
now
-------------------------------
2022-11-02 13:43:49.208043+00
(1 row)
User required to trust additional CA certificates, running 'update-ca-certificates.
WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping
Configuring Redis as session handler...
Setting php max children...
System config value tempdirectory set to string /mnt/ncdata/tmp/
Applying one-click-instance settings...
LDAPS now works out of the box with our Domain Controllers 🎉
Please note that I forgot to close the quotation in the echo statement in start.sh. Can you correct it next time you change something in the file?
User required to trust additional CA certificates, running 'update-ca-certificates.