Templates - Download from HTTPS server with private PKI

[zeenlym]

Description

I have a deploy a template server behind an HaProxy with SSL terminaison. I have my own PKI and put Ca certificates in /etc/ssl/certs/ca-certificates.crt but portainer do not want to download templates from my server with this message : x509: certificate signed by unknown authority (code=500)

Steps to reproduce the issue:

1. Mount portainer/templates behind haproxy or nginx with ssl
2. Add url to custom template settings
3. Go to App Templates

It would by good to download templates from HTTPS server with custom PKI. It seems getting stack file from a git server with HTTPS is broken too.

Technical details:

• Portainer version: 1.15.3
• Target Docker version (the host/cluster you manage): 17.06
• Platform (windows/linux): Centos7
• Command used to start Portainer (docker run -p 9000:9000 portainer/portainer): only port binding and admin password
• Target Swarm version (if applicable):
• Browser: Firefox 52

[SalikovAlex]

The same problem with my own git repo to pull yml to deploy stack.

[deminngi]

Got same behavior using traefik as my reverse proxy docker node
I guess custom templates with self-CA certificates over a reverse proxy does not work properly.

From docker log I got:
Get https://<hostname>.<domain>/webp0/templ/portainer/templates.json: x509: certificate signed by unknown authority (code=500)

From UI I got:
Failure Get https://<hostname>.<domain>/webp0/templ/portainer/templates.json: x509: certificate signed by unknown authority

If I enter the URL directly "https://hostname.domain/webp0/templ/portainer/templates.json", I can see the JSON template.

Technical details:

Portainer version: 1.15.5
Target Docker version (the host/cluster you manage): 17.09.1-ce
Platform (windows/linux): Ubuntu Core 16-2.30 (rev3750)
Command used to start Portainer (docker run -p 9000:9000 portainer/portainer): 
  sudo docker run -d \
     -p "$IP"$(checkPort $PORT_MGMT_OUT):$PORT_MGMT_IN \
     --net $WEAVE_NET \
     $($HOME/bin/weave dns-args) \
     --dns-search $WEAVE_LOC \
     --hostname "$(checkName).$WEAVE_DOM" \
     --name "$(checkName)" \
     --mount type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock \
     --mount type=bind,source=$RUN/$NAME$INST/certs,target=/certs \
     --mount type=bind,source=$RUN/$NAME$INST/data,target=/data \
     --mount type=bind,source=$RUN/$NAME$INST/endpoints,target=/endpoints \
     --label "traefik.enable=true" \
     --label "traefik.portainer.frontend.rule=PathPrefixStrip:/port$INST/" \
     --label "traefik.portainer=$PORT_MGMT_OUT" \
     --label "traefik.portainer.docker.network=$WEAVE_NET" \
     portainer/portainer:linux-$PORT_ARCH-$PORT_VER
Target Swarm version (if applicable): N.A.
Browser: Firefox 52

[Jitsusama]

I'm experiencing the same when trying to pull a docker-compose.yml file from a private Git repository. It would be nice to have UI to put in trusted certificates, or, at least, some documentation on how we can insert a trusted certificate into the portainer's host such that we can get around this error.

[adam-moss]

This works for custom certs for me:

docker volume create portainer-data
docker run --detach --name portainer --publish 9000:9000 --volume /var/run/docker.sock:/var/run/docker.sock --volume portainer-data:/data portainer/portainer
docker stop portainer
docker cp /path/to/my-ca-certs.pem /etc/ssl/certs/ca-certificates.crt
docker start portainer

Note I had to restart the portainer service for the certs to be recognised.

[cyberlink1]

This works for custom certs for me:

docker volume create portainer-data
docker run --detach --name portainer --publish 9000:9000 --volume /var/run/docker.sock:/var/run/docker.sock --volume portainer-data:/data portainer/portainer
docker stop portainer
docker cp /path/to/my-ca-certs.pem /etc/ssl/certs/ca-certificates.crt
docker start portainer

Note I had to restart the portainer service for the certs to be recognised.

That does not seem to work in a swarm. Restarting it moves the container to another node. Tried making the changes in each of the nodes containers but they get over written on reboot.

I even tried mounting a volume on /etc/ssl/certs/ and that does not seem to work.

Is there a workaround for this?