Skip to main content
In many enterprise environments, internal certificate authorities (CAs) or self-signed TLS certificates are used—for example for internal APIs, private container registries, or package repositories. For applications in the VARIOS AI container to trust these certificates, you can mount a custom CA certificate bundle from the host into the container. This configuration ensures that the container uses additional or custom CA certificates and can establish TLS connections to servers signed by your internal CAs.

Configuration

In your docker-compose.yml, extend the PHP container command and mount the certificate bundle as a volume: 
# docker-compose.yml

php:
  [...]
  command: sh -c "/usr/sbin/update-ca-certificates 2>/dev/null || true; /scripts/run.sh"
  volumes:
    [...]
    - "/etc/pki/tls/certs/ca-bundle.crt:/usr/local/share/ca-certificates/ca-bundle.crt:ro"
The example path /etc/pki/tls/certs/ca-bundle.crt is typical for RHEL/CentOS systems. On Debian/Ubuntu, the system CA bundle is often at /etc/ssl/certs/ca-certificates.crt. Adjust the host path to match your distribution.

How It Works

1. Mounting the certificate

- "/etc/pki/tls/certs/ca-bundle.crt:/usr/local/share/ca-certificates/ca-bundle.crt:ro"
  • The certificate bundle from the host system is mounted into the container.
  • Target path in the container: /usr/local/share/ca-certificates/ca-bundle.crt
  • The volume is mounted read-only (ro) so the container cannot modify the file.
This path is used by many Linux distributions as the source for additional CA certificates.

2. Updating the certificate store

/usr/sbin/update-ca-certificates
  • This command scans the directory /usr/local/share/ca-certificates.
  • Found certificates are added to the system-wide trust store.
  • Applications in the container (e.g. PHP, curl, Composer, OpenSSL) can then use these CAs for TLS connections.

3. Starting the container script

/scripts/run.sh
  • After updating the certificates, the container’s normal startup script is executed.

Result

After the container starts:
  • The host’s CA bundle is available inside the container.
  • The certificates are registered in the system-wide trust store.
  • Applications in the container can establish TLS connections to servers signed by these CAs.

Typical Use Cases

  • Using an internal corporate CA
  • Accessing internal APIs with self-signed certificates
  • Trust for private container registries or package repositories