feat(talk): trust custom CA certificates via NEXTCLOUD_TRUSTED_CACERTS_DIR

When NEXTCLOUD_TRUSTED_CACERTS_DIR is set on the mastercontainer, the custom CA certificates are now also mounted into the Talk container. Since the Talk container runs with a read-only root filesystem, update-ca-certificates cannot be used. Instead, the startup script copies the system CA bundle to /tmp (tmpfs), appends any custom certificates from /usr/local/share/ca-certificates/, and sets SSL_CERT_FILE to point Go's TLS stack at the extended bundle. This allows the signaling server to verify TLS connections to Nextcloud instances that use private/internal CA certificates, without requiring skipverify=true. Signed-off-by: Tomas <16553087+michnovka@users.noreply.github.com>
2026-05-29 15:00:09 +00:00 · 2026-03-03 00:06:22 +01:00
parent c1faa785b3
commit 7cd2ac1bbd
2 changed files with 22 additions and 0 deletions
--- a/Containers/talk/start.sh
+++ b/Containers/talk/start.sh
@@ -18,6 +18,21 @@ elif [ -z "$INTERNAL_SECRET" ]; then
    exit 1
 fi

+# Trust additional CA certificates, if the user provided NEXTCLOUD_TRUSTED_CACERTS_DIR
+# The container is read-only, so we build a custom bundle in /tmp (tmpfs) and
+# point Go's TLS stack to it via SSL_CERT_FILE.
+if [ -n "$(find /usr/local/share/ca-certificates -name '*.crt' -type f 2>/dev/null)" ]; then
+    echo "Trusting additional CA certificates..."
+    cp /etc/ssl/certs/ca-certificates.crt /tmp/ca-certificates.crt
+    for cert in /usr/local/share/ca-certificates/*.crt; do
+        if [ -f "$cert" ]; then
+            cat "$cert" >> /tmp/ca-certificates.crt
+            echo "  Added: $(basename "$cert")"
+        fi
+    done
+    export SSL_CERT_FILE=/tmp/ca-certificates.crt
+fi
+
 set -x
 IPv4_ADDRESS_TALK_RELAY="$(hostname -i | grep -oP '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | head -1)"
 # shellcheck disable=SC2153
--- a/php/containers.json
+++ b/php/containers.json
@@ -437,6 +437,13 @@
        "8081"
      ],
      "internal_port": "%TALK_PORT%",
+      "volumes": [
+        {
+          "source": "%NEXTCLOUD_TRUSTED_CACERTS_DIR%",
+          "destination": "/usr/local/share/ca-certificates",
+          "writeable": false
+        }
+      ],
      "environment": [
        "NC_DOMAIN=%NC_DOMAIN%",
        "TALK_HOST=nextcloud-aio-talk",