Recommended way of adding CA Certificates?

Hi,

Our CoreOs boxes are behind a proxy that requires a custom CA Certificate to be installed. What is the best way to do that? It doesn’t appear that update-ca-trust works so it doesn’t look like I can drop anything in /etc/ssl/certs via ignition.

I’m guessing it may be possible to copy off the ca-bundle.ctrust.crt file, modify it externally and completely replace it via Ignition, but that sounds pretty extreme.

Any other thoughts?

Thanks!

Nevermind, just found the coreos-update-ca-trust.service. I will look into that instead.

@seoras - were you able to drop files in and get it to work? We probably need a documentation example for this that explains the moving pieces. Would you be willing to write some?

I haven’t had a chance to dig into it yet. I did get an ignition error when trying it out but it was a bare metal server that I couldn’t get the console logs from so I don’t know what the error was. I will have another attempt on something I can control more and update this comment with the results.

This is what I tried for reference:

    - path: /etc/pki/ca-trust/source/anchors/myca.pem
      mode: 0644
      contents:
        source: https://xxxxx/myca.pem
1 Like

It worked for me. I dropped a CA cert in /etc/pki/ca-trust/source/anchors with ignition and coreos-update-ca-trust.service automatically ran and added it to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem at boot. That’s awesome!

2 Likes