Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: add section about trusting self-signed certificates #15636

Merged
merged 6 commits into from
May 19, 2022
Merged

docs: add section about trusting self-signed certificates #15636

Changes from 2 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
1cac11f
docs: add section about trusting self-signed certificates
Shegox May 18, 2022
1e6fa9b
Apply suggestions from code review
Shegox May 19, 2022
a6c3a3e
Apply suggestions from code review
Shegox May 19, 2022
242658c
Update docs/usage/examples/self-hosting.md
Shegox May 19, 2022
ffb2844
Update docs/usage/examples/self-hosting.md
Shegox May 19, 2022
f3472ec
Update docs/usage/examples/self-hosting.md
Shegox May 19, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
32 changes: 32 additions & 0 deletions docs/usage/examples/self-hosting.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -396,3 +396,35 @@ The logging level output is controlled by the Bunyan logging library.
| 40 | warn |
| 50 | error |
| 60 | fatal |

## Self-signed TLS/SSL certificates
rarkins marked this conversation as resolved.
Show resolved Hide resolved

Renovate and invoked helper programs (e.g. Git, npm) use a secure TLS connection (e.g. HTTPS) to connect to source code platforms and dependency hosts.
If the systems use any self-signed certificates or certificate authorities then Renovate needs to be configured to trust these additional certificates.
Shegox marked this conversation as resolved.
Show resolved Hide resolved
Shegox marked this conversation as resolved.
Show resolved Hide resolved

For the main Renovate Node.js application set the environment variable [`NODE_EXTRA_CA_CERTS=/usr/local/share/ca-certificates/self-signed-certificate.crt`](https://nodejs.org/api/cli.html#node_extra_ca_certsfile).
This ensures that the Renovate application itself trusts the `self-signed-certificate.crt` and can establish secure connections to systems using that certificate or certificates signed by this certificate authority.

The helper programs (e.g. Git, npm) use the system trust store.
For them to trust a self-signed certificate you must add it to the systems trust store.
On Ubuntu/Debian and many Linux-based systems, this can be achieved by copying the self-signed certificate (e.g. `self-signed-certificate.crt`) to `/usr/local/share/ca-certificates/` and running [`update-ca-certificates`](https://manpages.ubuntu.com/manpages/xenial/man8/update-ca-certificates.8.html) to update the system trust store afterwards.
Shegox marked this conversation as resolved.
Show resolved Hide resolved

If you are using the official [Renovate Docker image](#docker) then the best way is to build your own Docker image with the self-signed certificate added to the standard Renovate Docker image.
Shegox marked this conversation as resolved.
Show resolved Hide resolved
The following `Dockerfile` does that:
Shegox marked this conversation as resolved.
Show resolved Hide resolved

```dockerfile
FROM renovate/renovate

# Changes to the CA require root permissions
Shegox marked this conversation as resolved.
Show resolved Hide resolved
USER root

# Copy and install the self signed certificate
COPY self-signed-certificate.crt /usr/local/share/ca-certificates/
RUN update-ca-certificates

# Change back to the ubuntu user
Shegox marked this conversation as resolved.
Show resolved Hide resolved
USER 1000

# Node comes with an own CA store and thus needs to trust the self signed certificate explicitly
Shegox marked this conversation as resolved.
Show resolved Hide resolved
ENV NODE_EXTRA_CA_CERTS=/usr/local/share/ca-certificates/self-signed-certificate.crt
```