Root Certificates Container

This website, like most of the services I host in my homelab runs in a Docker container which is hosted in a small Kubernetes cluster. I’ll go into more detail about the Kubernetes cluster in a later post. In this post I want to demonstrate a very simple container I have created which bundles the root certificates distributed with most operating systems, making them available to the application running within.


Imagine an application which interacts with an external resources over TLS, perhaps a website which stores input from users into a Google Sheets document. The Google API performs HTTP requests over TLS whenever we read from or write to the spreadsheet.

In order to trust that our application is connecting to the authentic Google API, web browsers and our application, use a pre-shared certificate which validates the certificate presented when the remote server is contacted. If the certificates “match”, then the site being contacted is legitimate.

These certificates are usually distributed with the operating system. On a Linux computer they are often found in /etc/ssl/certs. But what about if the application is running in a FROM SCRATCH Docker container?

A Potential Solution

Our application contacts the Google API and requires a root certificate as previously discussed. To satisfy this requirement, we could launch our container with a volume mount to insert the certificates from the host:

docker run -v /etc/ssl/certs:/etc/ssl/certs my-application

With this command we take the contents of /etc/ssl/certs on the host and mount them in the same location in our running container. This works great, assuming we know that the certificates will always be in this location on the host. But what if we want to run our application on another host, such as a node in a Kubernetes cluster?

Simpler Solution

I have created a tiny Docker image which contains the root certificates necessary for your application. To use it, build the root-certs container and tag it:

tar -x archive.tar
cd <resulting directory>

docker build -t root-certs .

Now, you can base any containers which need the root certificates on this one. For example, your Dockerfile might look like this:

FROM root-certs

ADD my-application
ENTRYPOINT [ "/my-application" ]

This may end up slightly more complicated in the short-run, but if you have multiple containers which all have this requirement, it is very nice to have one common base that satisfies this requirement for all of the applications.