Installing in Docker with custom SSL certificates


I would like to install firezone in docker, using my own custom, pre-issued SSL certificates. I cannot use ACME for various reasons.

How can I go about setting this up?


I’ve tried adding the following to my .env, but it results in caddy not coming up.

TLS_OPTS="tls internal {

The caddy log is:

firezone-caddy-1     | {"level":"info","ts":1671960417.6151981,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":""}
firezone-caddy-1     | {"level":"warn","ts":1671960417.6156855,"msg":"Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":1}
firezone-caddy-1     | {"level":"info","ts":1671960417.615946,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//"]}
firezone-caddy-1     | {"level":"info","ts":1671960417.616056,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0003e2930"}
firezone-caddy-1     | {"level":"info","ts":1671960417.6160622,"logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0xc0003e2930"}
firezone-caddy-1     | Error: loading initial config: loading new config: loading http app module: provision http: getting tls app: loading tls app module: provision tls: provisioning automation policy 0: loading TLS automation management module: position 0: loading module'internal': provision tls.issuance.internal: loading pki app module: provision pki: provisioning CA 'local': loading root cert: open /data/caddy/pki/authorities/local/root.crt: permission denied
firezone-caddy-1 exited with code 1

I afraid you need manually update caddy config to suite your requirement, if you need a simply hack, just make a logic think, replace the cert at the path ${installDir:-}/caddy.

that path and sub-directory contains the cert that you can copy out, and so simply overwrite the cert with your own one. of course it is not perfect.

if you need caddy as your reverse proxy, place other config rather than default one, change the cert path and it should work.

or change to your famous reverse proxy , apache or nginx for example.
it also support as the reverse proxy only redirect to port 13000, which is container firezone port.

I suggest you read the script once, it so straightforward and make sense ,once you take up the logic you can change it as magic.

for your rewrite error, since I using podman rather than docker, but it should be the same root cause since .env TLS_OPTS not call in run-time but at initialize stage, so once you change it, you will also need rebuild it.

use “inspect” parameter in container may found out the hints.

How do I rebuild to pick up TLS_OPTS?

I afraid you need read the docker usage. this is part of container issue.
not so difficulty,

for quick spotlight the way,
(assume you have manually download the docker-compose.xml in current path, please read the documentation guide how to download)
i. stop and remove the container caddy.
ii. declare variable in shell $TL_OPTS and ${installDir} with your desire value
iii. docker compose -f ${installDir:-.}/docker-compose.xml up -d caddy

again, those command and method already show in the bash script

@s13441 No need to rebuild – a simple docker compose -f $HOME/.firezone/docker-compose.yml up -d will reload the caddy service.

The docker-compose.yml file in there specifies an inline Caddyfile which loads $TLS_OPTS. We don’t overwrite the docker-compose.yml on upgrades – it’s safe to customize.

Check the caddy TLS docs for customizing: tls (Caddyfile directive) — Caddy Documentation

But your problem is permissions I think. Looks like Caddy can’t read your root cert mounted inside the container:

loading root cert: open /data/caddy/pki/authorities/local/root.crt: permission denied

Check that Docker has permissions to read that file.