Unable to add user CA certificate

[acathrow]

Use case: User has MiTM proxy doing SSL stripping & resigning for their own security and inspection./

We need to support the ability for user to pass PEM files and automate the running on update-ca-trust.

[zhill]

This should be done in the container build or deployment environment, not the service itself. Certificate management is outside the scope of the service itself, and is also very deployment environment specific.

Will this work to just build a custom container?

FROM anchore/anchore-engine:latest
COPY ./my_cert.pem /etc/pki/ca-trust/source/anchors/
RUN update-ca-trust

Because it requires executing a command that changes image state, it should be done in a build, or else it will have to be executed on each container startup, which is a bit sketchy given these are CA certs. I think we need to document it, but I don't think this is something we should build into the system or automate on container startup necessarily.

[zhill]

Another option is to support configuration of a specific ca cert/bundle for use by the service, but that would require the user to still place the bundle in the container, but would obviate running 'update-ca-trust', so certs could be inserted at runtime instead of built into the image.

Perhaps something in config.yaml like: ca-bundle: "/config/server-ca-bundle"

There is also an env-var: REQUESTS_CA_BUNDLE that may be picked up automatically for outbound requests, but I haven't tested that yet. That may work as a workaround, albeit implementation specific.

Thoughts @acathrow and @nurmi ?

[moshevayner]

Hey @zhill I've actually been in touch with @acathrow on this matter, as we are running anchore behind a proxy server which is using a self-signed CA. In my case, the solution is to add the pem file of our internal CA to certify's cacert.pem. Any other attempt with update-ca-trust didn't work because seems like the certify python lib is using its own cert trust store, just like java, hence it doesn't use the OS trust store. Here's the Dockerfile I'm using every time I need to push a new image to our internal registry:

FROM anchore/anchore-engine
COPY our_ca.pem /tmp/
RUN /usr/bin/cat /tmp/our_ca.pem >> /usr/lib/python2.7/site-packages/certifi/cacert.pem

Using the above Dockerfile, I build & tag the new image containing our CA cert and then I'm able to run anchore properly. Figured it might be worth posting here so that you can also create an article in your documentation for similar use-cases.

Cheers! 😄

[zhill]

@MoShitrit awesome! Thanks. As long as the operation is to append a file and we don't need to run the update-ca-trust, then there are options for using things like initializer containers in Kubernetes clusters to do this and thus not require a new container necessarily. Alternatively, if you don't want to to a custom image build you could create the cacert.pem and mount it read-only as a volume into the containers. Thanks for the update, and we'll make sure to get a section in the docs to cover these issues and remediation options.

[nurmi]

There is a documentation resource in place that describes a process for adding custom CA certificates into anchore-engine. We'll close out this ticket!

https://anchore.freshdesk.com/support/solutions/articles/36000053744-adding-custom-certificate-authority-

[PriceChild]

@nurmi That documentation resource seems to have disappeared. Do you know if it has moved?

[PriceChild]

Aha, just seen https://docs.anchore.com/current/docs/installation/configuration/custom_certs/