Skip to content

Custom root certificates

Usually we use let's encrypt to generate valid certificates for public access. Nethertheless caddy provides an easy way to use custom certificates. This article assumes that you want to use a valid (standard or wildcard) certificate from a widely trusted authority.

Self signed certificates are not fully supported

The use of a self signed certificate is not recommended. Even if you clients (browsers) trust the certificate, the docker containers do not trust each other by default. The Python Pipeline will not work etc...

Make certificates available to caddy

With the caddy.yml a default volume-mount is created: /opt/caddy:/data By convention you should provide your certificate & key files in the container host filesystem under /opt/caddy/certs/ to make it available to caddy.

In the article, we assume that your certificates were saved as cert.pem and key.pem.

/opt/caddy/certs/
├── cert.pem
├── key.pem

Configure SeaTable Container to use custom certificates

The caddy docker proxy container from lucaslorentz supports dynamic configuration with labels.

It is not recommended to make changes to the provides seatable-server.yml. Create a custom yml file and reference it in your .env file instead. Add the following line to your custom-seatable-server.yml to tell caddy to use your custom certificates.

# configuration of custom-seatable-server.yml
services:
  seatable-server:
    ...
    labels:
      caddy: ${SEATABLE_SERVER_HOSTNAME}
      caddy.tls: "/data/certs/cert.pem /data/certs/key.pem" # <-- this label tells caddy to use custom certificates !the order is important
# [self signed only] if you are working with self signed or low trust certificates you also need to add them to the seatable container truststore..
    volumes:
      ...
      - "/opt/caddy/certs/cert.pem:/usr/local/share/ca-certificates/cert.crt"
# [self signed only] ..and update the truststore at runtime
    command: /bin/bash -c "update-ca-certificates && exec /sbin/my_init -- /templates/enterpoint.sh"

Self-signed certificates generated by Caddy

Even if it is not recommended, it is possible to ask Caddy to use auto generated self-signed certificates. This can be achieved by adding these lines to your custom-seatable-server.yml.

# configuration of custom-seatable-server.yml
services:
  seatable-server:
    ...
    labels:
      caddy: ${SEATABLE_SERVER_HOSTNAME}
      caddy.tls: "internal"

Problems with local IP

The current setup does not allow that you add a local IP adress as SEATABLE_SERVER_HOSTNAME in your .env file. There are two alternatives that we recommend to use:

use local address

Instead of the IP adress you should use an address like seatable.local. This requires that you either use a self-signed certificate or a custom root certificate.

use nip.io

There is a free service https://nip.io which allows mapping any IP Address to a hostname using the following formats:

  • 10.0.0.1.nip.io maps to 10.0.0.1
  • 192-168-1-250.nip.io maps to 192.168.1.250
  • 0a000803.nip.io maps to 10.0.8.3

So if you want to use the local address like 192.168.17.20, you should use 192.168.17.20.nip.io as SEATABLE_SERVER_HOSTNAME.