How can I add a custom CA trust bundle to my Docker Swarm Application?


#1

In some cases, it may be necessary to trust additional Certificate Authority (CA) certificates for requests to internal services. For example, if an HTTP Proxy uses an SSL cert that is signed by an internal CA, replicated must be configured to trust that internal CA.

At Install Time

This can be accomplished by providing the path to the CA certificate during the install step with the tls_cert_path parameter:

curl https://get.replicated.com/swarm-init | sudo bash -s tls_cert_path=/etc/pki/my-custom-bundle.cer

Similarly, for an airgapped installation, run

cat ./swarm-init.sh | sudo bash -s tls_cert_path=/etc/pki/my-custom-bundle.cer

For an existing installation

The stack can be updated in place with a new CA cert using the following command, replacing my-custom-bundle.cer

docker service update --mount-add type=bind,source=/etc/pki/my-custom-bundle.cer,target=/etc/ssl/certs/ca-certificates.crt,ro=1 replicated_replicated

Note

In both these cases, this can blow away the previous certificate bundle that was present in the replicated service, and cause other SSL certificates to become untrusted. If the app needs direct outbound access
to the internet, it may be necessary to modify the value of target in the docker service update command above.


#2

@dex how can I add a custom CA trust bundle to my airgapped Docker Swarm Application?


#3

Good point – updated