Many customers would like to replace our server certs with their own certificates issued with the correct common name and using their company cert authority.


There are two ways of achieving this.


The Simple Solution

The simplest way to change the certs is to overwrite the default certs with your own certs.


The paths for the files that you need to overwrite are:

For iTDS:

As defined in /etc/apache2/default-ssl.conf

  • /etc/ssl/private/paterva.crt
  • /etc/ssl/private/paterva.key


For CTAS:


As defined in /etc/nginx/conf.d/dispatcher.conf


  • /etc/nginx/server.crt
  • /etc/nginx/server.key


You should be able to overwrite the above files in the Docker containers in order to change the certs used.


The problem with changing the files inside the Docker container, is that you will need to do this every time the Docker image changes (we release an update). The changes are lost everytime a new container is created.


Long Term Solution

Ideally we would like to make use of the Docker workflow to change the certs but achieve an additional two objectives:

  • Document what changes we are making to the Docker server
  • Have the changes persisted between updates


Building a custom Docker image that is based off of our original image, will allow us to achieve this.


The following example will demonstrate the changes required for the iTDS server. 


The example will assume that you are in directory containing the following files:

  • Dockerfile: new Dockerfile created
  • itds-custom.yml: additional docker-compose file to customize docker setup
  • internal_cert.crt: crt file for the new certificate
  • internal_cert.key: key file for the new certificate


First we need to build a new Docker image that A) Is based off of our image B) Adds in the custom certs.


We can do this by creating the following Dockerfile:


FROM registry.paterva.com/itdsphp:latest
COPY ./internal_cert.crt /etc/ssl/private/paterva.cert
COPY ./internal_cert.key /etc/ssl/private/paterva.key


This will create a new Docker image that is based off our server image, but has new certs copied from a local directory.


Next we need to change our docker-compose file to reference the local Dockerfile, rather than using our images directly. We will make changes to our compose file, whilst following the guidelines outlined here.


We can create a new docker-compose file with the filename "itds-custom.yml". The file should have the following contents:


version: '3'
services:
  itdsphp:
    build: .


The above contents tells Docker to build an image using the Dockerfile from the local directory, rather than running our image directly.


We can then run the server using our new certs with the command:


docker-compose -f itds.yml -f itds-custom.yml up


This should startup a server using the custom certs for https connections.