@@ -20,6 +20,18 @@ echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docke
20
20
apt update
21
21
apt -y install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
22
22
23
+ # Portainer does not seem to honor the --tlscacert flag correctly. That will
24
+ # become apparent when you try to do OIDC SSO with self-signed certificates or the like.
25
+ # as a workaround, we install the Root CA on the Docker host and later mount the modified
26
+ # /etc/ssl/certs/ca-certificates.crt to the Container.
27
+
28
+ # we copy the root CA into the openssl cert folder
29
+ cp /etc/certificates/${DOMAIN} /rootCA.crt /etc/ssl/certs
30
+ # create the hash link
31
+ ln -s /etc/ssl/certs/rootCA.crt /etc/ssl/certs/` openssl x509 -hash -noout -in rootCA.crt` .0
32
+ # this will update the /etc/ssl/certs/ca-certificates.crt
33
+ update-ca-certificates
34
+
23
35
# now we can install portainer
24
36
docker pull portainer/portainer-ce:latest
25
37
docker run -d -p 9000:9000 -p 9443:9443 \
@@ -28,10 +40,13 @@ docker run -d -p 9000:9000 -p 9443:9443 \
28
40
-v /var/run/docker.sock:/var/run/docker.sock \
29
41
-v portainer_data:/data \
30
42
-v /etc/certificates/${DOMAIN} :/certs \
43
+ -v /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt \
31
44
portainer/portainer-ce:latest \
32
45
--sslcert /certs/wildcard_fullchain.crt \
33
- --sslkey /certs/wildcard.key
34
-
46
+ --sslkey /certs/wildcard.key \
47
+ --tlscacert /cert/rootCA.crt
48
+ # little tip: in order to debug portainer behavior, add --log-level=DEBUG
49
+
35
50
# let's add portainer agent as well in case you already have an existing portainer somewhere
36
51
docker run -d -p 9001:9001 \
37
52
--name portainer_agent \
0 commit comments