How to add a custom CA-Certificate on an extended (node.js) docker image

Question

I'm extending the node-red docker image which (currently) bases itself on the node:6docker image.

I would like to add a custom SSL-Certificate into the docker-image's certificate store. Up to now I did this as follow:

FROM nodered/node-red-docker

ADD DigiCertCA.crt /usr/local/share/ca-certificates/
RUN update-ca-certificates

ADD settings.js /data/settings.js

RUN npm install node-red-contrib-ttn
RUN npm install node-red-contrib-influxdb
RUN npm install node-red-admin
RUN npm install node-red-node-geohash 

CMD ["npm", "start", "--", "--userDir", "/data"]

Building this image fails, because the RUN is executed as non-root user node.

Updating certificates in /etc/ssl/certs... ln: failed to create symbolic link '/etc/ssl/certs/DigiCertCA.pem': Permission denied
The command '/bin/sh -c update-ca-certificates' returned a non-zero code: 1

I'm aware that as non-root such an operation is not possible. But what's the valid concept to extend existing images with custom CA-Certificates?

Answer 1

Why not just switch user to root to run the command to add the cert then switch back?

FROM nodered/node-red-docker

ADD DigiCertCA.crt /usr/local/share/ca-certificates/
USER root
RUN update-ca-certificates
USER node-red


ADD settings.js /data/settings.js

RUN npm install node-red-contrib-ttn
RUN npm install node-red-contrib-influxdb
RUN npm install node-red-admin
RUN npm install node-red-node-geohash 

CMD ["npm", "start", "--", "--userDir", "/data"]

Answer 2

This is a complete example with proxy and certificate.

Use npm config set cafile

Dockerfile:

FROM node:10.15.3-jessie

# HTTP Proxy
ARG http_proxy
ARG https_proxy
ENV http_proxy ${http_proxy}
ENV https_proxy ${https_proxy}

# Certicate
ENV CERT_HOME=/usr/local/share/ca-certificates
ENV CERT_FILE_PATH=${CERT_HOME}/my.crt
RUN mkdir -p ${CERT_HOME}
ADD my.crt ${CERT_FILE_PATH}
RUN apt-get update && apt-get install -y ca-certificates && rm -rf /var/lib/apt/lists/*

# npm settings
RUN npm config set cafile ${CERT_FILE_PATH}
RUN npm config set proxy ${http_proxy}
RUN npm config set https-proxy ${https_proxy}

# Check
RUN npm config get proxy
RUN npm config get https-proxy
RUN npm config get registry

And run:

docker build --build-arg http_proxy=$http_proxy --build-arg https_proxy=$https_proxy --tag mynode .