Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: add section about trusting self-signed certificates #15636

Merged
merged 6 commits into from
May 19, 2022
Merged

docs: add section about trusting self-signed certificates #15636

Changes from 1 commit
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
1cac11f
docs: add section about trusting self-signed certificates
Shegox May 18, 2022
1e6fa9b
Apply suggestions from code review
Shegox May 19, 2022
a6c3a3e
Apply suggestions from code review
Shegox May 19, 2022
242658c
Update docs/usage/examples/self-hosting.md
Shegox May 19, 2022
ffb2844
Update docs/usage/examples/self-hosting.md
Shegox May 19, 2022
f3472ec
Update docs/usage/examples/self-hosting.md
Shegox May 19, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
28 changes: 28 additions & 0 deletions docs/usage/examples/self-hosting.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -396,3 +396,31 @@ The logging level output is controlled by the Bunyan logging library.
| 40 | warn |
| 50 | error |
| 60 | fatal |

## Self-signed TLS/SSL certificates
rarkins marked this conversation as resolved.
Show resolved Hide resolved

Renovate and invoked helper programs (e.g. Git, npm) use a secure TLS connection (e.g. HTTPS) to connect to source code platforms and dependency hosts.
If the systems use self-signed certificates or certificate authorities Renovate needs to manually trust these additional certificates in order to work.
Shegox marked this conversation as resolved.
Show resolved Hide resolved

For the main Renovate NodeJS application set the environment variable [`NODE_EXTRA_CA_CERTS=/usr/local/share/ca-certificates/self-signed-certificate.crt`](https://nodejs.org/api/cli.html#node_extra_ca_certsfile). This archives that the main Renovate application trusts the `self-signed-certificate.crt` and can establish secure connections to systems using that certificate or certificates signed by this certificate authority.
Shegox marked this conversation as resolved.
Show resolved Hide resolved

The helper programs (e.g. Git, npm) use the system trust store. For them to trust the self-signed certificate add it to the systems trust store. On ubuntu/debian and many linux based systems, this can be archived with copying the self-signed certificate (e.g. `self-signed-certificate.crt`) to `/usr/local/share/ca-certificates/` and running [`update-ca-certificates`](https://manpages.ubuntu.com/manpages/xenial/man8/update-ca-certificates.8.html) to update the system trust store afterwards.
Shegox marked this conversation as resolved.
Show resolved Hide resolved

If you leverage the [Renovate Docker image](#docker), the best way is to build an own Docker image with the self-signed certificate on top of the standard Renovate Docker image. Following Dockerfile does that:
Shegox marked this conversation as resolved.
Show resolved Hide resolved

```dockerfile
FROM renovate/renovate

# Changes to the CA require root permissions
Shegox marked this conversation as resolved.
Show resolved Hide resolved
USER root

# Copy and install the self signed certificate
COPY self-signed-certificate.crt /usr/local/share/ca-certificates/
RUN update-ca-certificates

# Change back to the ubuntu user
Shegox marked this conversation as resolved.
Show resolved Hide resolved
USER 1000

# Node comes with an own CA store and thus needs to trust the self signed certificate explicitly
Shegox marked this conversation as resolved.
Show resolved Hide resolved
ENV NODE_EXTRA_CA_CERTS=/usr/local/share/ca-certificates/self-signed-certificate.crt
```