Feature Request: Add Configuration Support for Custom CA Certificates in Container Builds

[Harel-Dev]

Use Case / Motivation:
Protocol schemes based deployment could fail if operated from within a network where network inspection of TLS is happening.
This happens at the build process where downloaded web content being proxied and the TLS certificate verification fails due to untrusted certificate.
This feature would improve the usability of this tool within common corporate network environments.

Current Limitation:
Currently, the tool lacks a mechanism to inject or configure custom CA certificates to its trust store.

Example Scenario:
thv run npx://@modelcontextprotocol/server-sequential-thinking 1:28PM INF Processed cmdArgs: [] 1:28PM INF Building Docker image for npx package: @modelcontextprotocol/server-sequential-thinking 1:28PM INF Building image toolhivelocal/npx--modelcontextprotocol-server-sequential-thinking:20250504132808 from context directory /var/folders/ly/x518gxkn27d54qvwyzjd9pjc0000gn/T/toolhive-docker-build-3226472955 Step 1/7 : FROM node:22-alpine ---> 18e4fe4d4cd5 Step 2/7 : RUN apk add --no-cache git ---> Running in 3ad390fb3e76 fetch https://dl-cdn.alpinelinux.org/alpine/v3.21/main/aarch64/APKINDEX.tar.gz fetch https://dl-cdn.alpinelinux.org/alpine/v3.21/community/aarch64/APKINDEX.tar.gz 206D409DFFFF0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2103: WARNING: fetching https://dl-cdn.alpinelinux.org/alpine/v3.21/main: Permission denied 206D409DFFFF0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2103: WARNING: fetching https://dl-cdn.alpinelinux.org/alpine/v3.21/community: Permission denied ERROR: unable to select packages: git (no such package): required by: world[git] Error: failed to process protocol scheme: failed to build Docker image: build error: The command '/bin/sh -c apk add --no-cache git' returned a non-zero code: 1: failed to process build output: build error: The command '/bin/sh -c apk add --no-cache git' returned a non-zero code: 1

Requested Feature:
Please add a configuration mechanism to allow users to specify custom CA certificates that should be trusted by the container building container images for protocol scheme execution.

[JAORMX]

Thanks for raising this! We'll look into it

[JAORMX]

By the way @Harel-Dev ,we have packaged sequentialthinking in the registry, do thv run sequentialthinking and it will run.

But, I still think this is a good feature request, which we'll implement.

[JAORMX]

thv registry list and thv search can help you find prepackaged MCPs that are easy to run.

[Harel-Dev]

Thank you @JAORMX!
I'm aware it is part of your registry (thank you for that), I just wanted to illustrate the issue I face with a simple example :)

[JAORMX]

Thanks! It is helpful. We'll get right to working on this!

[Harel-Dev]

@JAORMX thank you so much for the quick implementation!
However, I encounter the same issue which I believe is due to the fact that the apk add command is also being intercepted by the proxy, hence the ca certificate registration process cannot be completed.
I think that by appending the certificate directly to the /etc/ssl/certs/ca-certificates.crt file would allow the flow to continue uninterrupted.
For example by adding the following at the beginning: RUN cat ca-cert.crt >> /etc/ssl/certs/ca-certificates.crt

Also, if I may, I think it would be more beneficial to expose this functionality under the 'configure' command so such a certificate could be registered for all future runs without having the user including it all the time. 🙏

Log:
`❯ thv run --ca-cert corp-root-ca.crt --debug npx://@modelcontextprotocol/server-sequential-thinking
11:40PM INF Processed cmdArgs: []
11:40PM DBG Failed to check Podman socket at /var/run/podman/podman.sock: stat /var/run/podman/podman.sock: no such file or directory
11:40PM DBG Found Podman socket at /Users/username/.local/share/containers/podman/machine/podman.sock
11:40PM DBG Failed to create client for podman: container runtime not found: failed to ping podman: Cannot connect to the Docker daemon at unix:///Users/username/.local/share/containers/podman/machine/podman.sock. Is the docker daemon running?
11:40PM DBG Found Docker socket at /var/run/docker.sock
11:40PM DBG Successfully connected to docker runtime
11:40PM INF Using custom CA certificate from: corp-root-ca.crt
11:40PM INF Added CA certificate to build context: /var/folders/ly/x518gxkn27d54qvwyzjd9pjc0000gn/T/toolhive-docker-build-480752154/ca-cert.crt
11:40PM INF Building Docker image for npx package: @modelcontextprotocol/server-sequential-thinking
11:40PM INF Using Dockerfile:
FROM node:22-alpine

Install git for package installation support

RUN apk add --no-cache git ca-certificates

Set working directory

WORKDIR /app

Create a non-root user to run the application and set proper permissions

RUN addgroup -S appgroup &&
adduser -S appuser -G appgroup &&
mkdir -p /app &&
chown -R appuser:appgroup /app

Configure npm for faster installations in containerized environments

ENV NODE_ENV=production
NPM_CONFIG_LOGLEVEL=error
NPM_CONFIG_FUND=false
NPM_CONFIG_AUDIT=false
NPM_CONFIG_UPDATE_NOTIFIER=false
NPM_CONFIG_PROGRESS=false

Add custom CA certificate

RUN mkdir -p /usr/local/share/ca-certificates
COPY ca-cert.crt /usr/local/share/ca-certificates/
RUN chmod 644 /usr/local/share/ca-certificates/ca-cert.crt &&
update-ca-certificates

Run the MCP server using npx

The entrypoint will be constructed dynamically based on the package and arguments

Using the form: npx -- [@] [args...]

The -- separates npx options from the package name and arguments

Switch to non-root user

USER appuser

ENTRYPOINT ["npx", "--yes", "--", "@modelcontextprotocol/server-sequential-thinking"]
11:40PM INF Building Docker image for npx package: @modelcontextprotocol/server-sequential-thinking
11:40PM INF Building image toolhivelocal/npx--modelcontextprotocol-server-sequential-thinking:20250506234015 from context directory /var/folders/ly/x518gxkn27d54qvwyzjd9pjc0000gn/T/toolhive-docker-build-480752154
Step 1/10 : FROM node:22-alpine
---> 18e4fe4d4cd5
Step 2/10 : RUN apk add --no-cache git ca-certificates
---> Running in c79ed47f80ab
fetch https://dl-cdn.alpinelinux.org/alpine/v3.21/main/aarch64/APKINDEX.tar.gz
208DF6B2FFFF0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2103:
fetch https://dl-cdn.alpinelinux.org/alpine/v3.21/community/aarch64/APKINDEX.tar.gz
WARNING: fetching https://dl-cdn.alpinelinux.org/alpine/v3.21/main: Permission denied
208DF6B2FFFF0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2103:
WARNING: fetching https://dl-cdn.alpinelinux.org/alpine/v3.21/community: Permission denied
ERROR: unable to select packages:
ca-certificates (no such package):
required by: world[ca-certificates]
git (no such package):
required by: world[git]
Error: failed to process protocol scheme: failed to build Docker image: build error: The command '/bin/sh -c apk add --no-cache git ca-certificates' returned a non-zero code: 2: failed to process build output: build error: The command '/bin/sh -c apk add --no-cache git ca-certificates' returned a non-zero code: 2
Usage:
thv run [flags] SERVER_OR_IMAGE_OR_PROTOCOL [-- ARGS...]

Flags:
--authz-config string Path to the authorization configuration file
--ca-cert string Path to a custom CA certificate file to use for container builds
-e, --env stringArray Environment variables to pass to the MCP server (format: KEY=VALUE)
-f, --foreground Run in foreground mode (block until container exits)
-h, --help help for run
--k8s-pod-patch string JSON string to patch the Kubernetes pod template (only applicable when using Kubernetes runtime)
--name string Name of the MCP server (auto-generated from image if not provided)
--oidc-audience string Expected audience for the token
--oidc-client-id string OIDC client ID
--oidc-issuer string OIDC issuer URL (e.g., https://accounts.google.com)
--oidc-jwks-url string URL to fetch the JWKS from
--permission-profile string Permission profile to use (none, network, or path to JSON file) (default "network")
--port int Port for the HTTP proxy to listen on (host port)
--secret stringArray Specify a secret to be fetched from the secrets manager and set as an environment variable (format: NAME,target=TARGET)
--target-host string Host to forward traffic to (only applicable to SSE transport) (default "localhost")
--target-port int Port for the container to expose (only applicable to SSE transport)
--transport string Transport mode (sse or stdio) (default "stdio")
-v, --volume stringArray Mount a volume into the container (format: host-path:container-path[:ro])

Global Flags:
--debug Enable debug mode

there was an error: failed to process protocol scheme: failed to build Docker image: build error: The command '/bin/sh -c apk add --no-cache git ca-certificates' returned a non-zero code: 2: failed to process build output: build error: The command '/bin/sh -c apk add --no-cache git ca-certificates' returned a non-zero code: 2`

[JAORMX]

I reopened the issue and will take your feedback into account. Thanks for taking the time to describe potential solutions!