Custom CA - netbox-community/netbox-docker GitHub Wiki

When using TLS with a custom CA, there are a few variables that need to be set up.

Make sure that on the docker host has the self-signed trusted CA certificate in the OS cert bundle (e.g. in Ubuntu / Debian /etc/ssl/certs/ca-certificates.crt or in RHEL /etc/ssl/certs/ca-bundle.crt).

For GIT datasources

For HTTPS repos, the Python requests package is used, which does not use the SSL_CERT_FILE environment variable. By default, requests is shipped with a dedicated (OS independent) trusted CA bundle. It relies on certifi as CA bundle source. In order to override this, override the env variable REQUESTS_CA_BUNDLE.

Adjust the /path/to/os/cert/file and update the docker-compose.override.yml as follows:

---
services:
  netbox:
    environment:
        REQUESTS_CA_BUNDLE: /etc/ssl/certs/ca-certificates.crt
    volumes:
    volumes:
      - /path/to/os/cert/file:/etc/ssl/certs/ca-certificates.crt:ro
  netbox-worker:
    environment:
        REQUESTS_CA_BUNDLE: /etc/ssl/certs/ca-certificates.crt
    volumes:
    volumes:
      - /path/to/os/cert/file:/etc/ssl/certs/ca-certificates.crt:ro

This overrides the trusted CA certificates within the containers, with the trusted CA certificates of your Linux Docker host (which includes your private CA certificates as well).

For LDAPS

Netbox LDAP uses django-ldap-auth which in turn uses the python-ldap package. This package currently does not support cert bundles with EV data which are often delivered by modern OS (e.g. in RHEL /etc/ssl/certs/ca-bundle.trust.crt)

Make sure to use the cert bundle without the EV data (e.g. in RHEL /etc/ssl/certs/ca-bundle.crt)

Adjust the /path/to/os/cert/file and update the docker-compose.override.yml as follows:

---
services:
  netbox:
    environment:
      LDAP_IGNORE_CERT_ERRORS: False
      LDAP_CA_CERT_FILE: /etc/ssl/certs/ca-certificates.crt
    volumes:
      - /path/to/os/cert/file:/etc/ssl/certs/ca-certificates.crt:ro

This overrides the trusted CA certificates within the containers, with the trusted CA certificates of your Linux Docker host (which includes your private CA certificates as well).