[With illustration] Development Oreore Certificate Authority SSL communication (+ docker container compatible): 2021

Introduction

Do you use my certificate? It's convenient because you can use ssl communication for free.

ssl-1.png

It was convenient for me, but when I started two docker containers in the development vm and tried to make https communication between the containers, I got angry with ** "Certificate signed by a suspicious certification authority" ** Since it was done, I will describe the coping method.

error.log


#An error signed by a suspicious certification authority
x509: certificate signed by unknown authority

Issuing a certificate that is not suspicious

The procedure is as follows. --Created Oreore Certification Bureau --Register the created "Oreore Certification Authority" in the development vm as a "Trusted Certification Authority" --Issued "Oreore Certificate" signed by "Oreore Certification Bureau"

It looks a little annoying, but it's very easy with mkcert. mkcert

ssl-2.png

mkcert installation

install.sh


# https://github.com/FiloSottile/mkcert/Download the latest version from releases and add execute permission
#For ubntu
wget https://github.com/FiloSottile/mkcert/releases/mkcert-v1.4.3-darwin-amd64
mv mkcert-v1.4.3-darwin-amd64 mkcert
chmod +x mkcert

Create Oreore Certification Authority + Register as "Trusted Certification Authority"

mkcert -install

Issued "Oreore Certificate" signed by "Oreore Certification Bureau"

mkcert -key-file key.pem -cert-file cert.pem {domain}

Mount self-signed certificate when container starts

If https communication is performed between docker containers in this state, the oleore certification authority will not be recognized as a "trusted certification authority", and an ** "certificate signed by a suspicious certification authority" ** error will occur. ..

To avoid this, mount the VM's "trusted certificate authority" in the container.

ssl-3.png

This process is not necessary in the production environment because the SSL certificate signed by the SSL certificate issuer is used. Put it in docker-compose.override.yaml instead of the usual docker-compose.yaml, and don't copy docker-compose.override.yaml to your production environment.

{docker-compose folder}/
 │ docker-compose.yaml
 └ docker-compose.override.yaml #add to

docker-compose.override.yaml


  #Add mount setting
  volumes:
    - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt

docker-run.sh


docker run .... -v /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt

in conclusion

Things that used to be very troublesome can now be done easily. As the project becomes slimmer, the boundaries between front engineers and infrastructure engineers are becoming blurry, so I would like to make it as easy as possible to perform various tasks so that more requirements can be met.

Recommended Posts

[With illustration] Development Oreore Certificate Authority SSL communication (+ docker container compatible): 2021
Docker php-apache SSL support with self-signed certificate (my memo)
Ruby on Rails development environment construction with Docker + VSCode (Remote Container)
[Linux] Start Apache container with Docker
Build WebRTC Janus with Docker container
Build debug environment on container --Build local development environment for Rails tutorial with Docker-
Template: Build a Ruby / Rails development environment with a Docker container (Ubuntu version)
Template: Build a Ruby / Rails development environment with a Docker container (Mac version)