This project provides a set of Dockerfiles designed to override the /etc/ssl directory in other Docker images. Its main purpose is to inject custom CA certificates into other images without requiring a full rebuild.

Here are a few docker compose examples on the Wiki:

• Home Assistant
• Miniflux
• Uptime Kuma

The Home Assistant example:

services:
  ha-certs-init:
    build:
      context: https://github.com/miklosbagi/ca-init-container.git#main
      # pick the correct Dockerfile for your main image (i.e. miniflux runs in alpine, so we use the alpine Dockerfile)
      dockerfile: Dockerfile.cert-inject-alpine
    volumes:
      # map location where the _ca.crt files are at (i.e. root_ca.crt, intermediate_ca.pem, etc)
      - ../_common/certs:/certs:ro
      # map the output directory, this is where the ca-init-container generates all the ssl certs, and makes your target container simply suck it up as-is.
      - ./config/ssl:/output-certs

  homeassistant:
    image: homeassistant/home-assistant:latest
    environment:
      # python certificates override
      REQUESTS_CA_BUNDLE: '/etc/ssl/certs/ca-certificates.crt'
    volumes:
      # linux certificates override
      - './config/ssl:/etc/ssl:ro'
    depends_on:
      ha-certs-init:
        condition: service_completed_successfully

The easiest way is to look into the target container's ssl directory and see if a generated-by-cainit file exists there.

❯ docker exec -it miniflux-miniflux-1 ls -la /etc/ssl generated-by-cainit*
-rw-r--r--    1 root     root             0 Nov 27 16:28 generated-by-cainit-20241127-162837

As such, the operation was successful, and the target container is now using the certificates generated by the init container.

• If the target container is not using the certificates generated by the init container, check the logs of the init container. It should contain information about what it did.

Ideally one would use the same base image that is going to be "enhanced". For example, miniflux is based on alpine, so the correct Dockerfile to use would be Dockerfile.cert-inject-alpine.

• In case your base image has a modified ca-certificates.crt, ca-init-container will likely break it (i.e. it will replace it with the one from the certs folder).
• The certs folder should contain the CA certificates in PEM format, with the .crt extension. The files should be named after the CA they represent (i.e. root_ca.crt, intermediate_ca.pem, etc).