{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 对你真心纯属浪费 的问题《docker container ssl certificates》','https://www.manongdao.com/q-105754.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
Is there any elegant way to add ssl certificates to images that have come from docker pull?.
I'm looking for a simple and reproducible way of adding a file into /etc/ssl/certs and run update-ca-certificates. (This should cover ubuntu and debian images).
I'm using docker on CoreOS, and the coreos machine trusts the needed ssl certificates, but the docker containers obviously only have the default.
I've tried using docker run --entrypoint=/bin/bash to then add the cert and run update-ca-certificates, but this seems to permanently override the entry point.
I'm also wondering now, would it be more elegant to just mount /etc/ssl/certs on the container from the host machines copy? Doing this would implicitly allow the containers to trust the same things as the host.
I'm at work with an annoying proxy that resigns everything :(. Which breaks SSL and makes containers kind-of strange to work with.
Mount the certs onto the Docker container using
-v:I am trying to do something similar to this. As commented above, I think you would want to build a new image with a custom Dockerfile (using the image you pulled as a base image),
ADDyour certificate, thenRUN update-ca-certificates. This way you will have a consistent state each time you start a container from this new image.Let's say a
docker buildagainst that Dockerfile produced IMAGE_ID. On the nextdocker run -d [any other options] IMAGE_ID, the container started by that command will have your certificate info. Simple and reproducible.As was suggested in a comment above, if the certificate store on the host is compatible with the guest, you can just mount it directly.
On a Debian host (and container), I've successfully done: