Sentry 10 on-premise installation failed at adding self-signed certificate

On-Premise
1

Hello

As on-premise installation, we are adding our self signed certificates to the docker image, and found that docker image building failed at copying the certificates.

What we have done is:

  1. put the self-signed certificate file at the folder of sentry
  2. during docker image build, try to trust this certificate
  3. For debug, we have listed all files during the installation to ensure the file existance.

Here is our installation log:

Pulling snuba-cleanup          ... done
Pulling symbolicator           ... pulling from getsentry/symbolicator
Pulling symbolicator           ... digest: sha256:adbb9b87150a1abf66...
Pulling symbolicator           ... status: image is up to date for g...
Pulling symbolicator           ... done
Pulling smtp                   ... pulling from tianon/exim4
Pulling smtp                   ... digest: sha256:f01923e8154add4b30...
Pulling smtp                   ... status: image is up to date for t...
Pulling smtp                   ... done
Pulling redis                  ... digest: sha256:49a9889fc47003cc8b...
Pulling redis                  ... status: image is up to date for r...
Pulling redis                  ... done
latest: Pulling from getsentry/sentry
Digest: sha256:bb80d4c92c50cee042dbf0064a6b9d48a4e63f1274d5c7b8c9886e55d354c8e7
Status: Image is up to date for getsentry/sentry:latest
docker.io/getsentry/sentry:latest
checking files in sentry
总用量 24
-rw-r--r-- 1 root root 2536 3月  22 08:13 config.yml
-rw-r--r-- 1 root root  382 3月  23 11:42 Dockerfile
-rw-r--r-- 1 root root   62 3月  22 08:13 requirements.txt
-rw-r--r-- 1 root root 3691 3月  23 09:50 self-signed.crt
-rw-r--r-- 1 root root 5886 3月  22 09:36 sentry.conf.py
Building web
Step 1/5 : ARG SENTRY_IMAGE
Step 2/5 : FROM ${SENTRY_IMAGE:-getsentry/sentry:latest}
 ---> d1a5c1fc62f4
Step 3/5 : COPY . /usr/src/sentry
 ---> e044f8411b9f
Step 4/5 : RUN ls -l /usr/src/sentry   && mv /usr/src/sentry/self-signed.crt /user/local/share/ca-certificates/self-signed.crt   && update-ca-certificates
 ---> Running in 9d571145e987
total 4
-rw-r--r-- 1 root root 62 Mar 22 00:13 requirements.txt
mv: cannot stat '/usr/src/sentry/self-signed.crt': No such file or directory
Removing intermediate container 9d571145e987
Service 'web' failed to build: The command '/bin/sh -c ls -l /usr/src/sentry   && mv /usr/src/sentry/self-signed.crt /user/local/share/ca-certificates/self-signed.crt   && update-ca-certificates' returned a non-zero code: 1
Cleaning up...

We can see that our self-signed.crt file is together with requirements.txt, but by a docker command COPY . /usr/src/sentry, it seems only file requirements.txt is correctly copied.

So we are wonder:

  1. why the docker only copied requirements.txt file and ignore others ?
  2. and what is the best practice to trust self-signed certificate during docker image building?

B.R.

Liang

2

why the docker only copied requirements.txt file and ignore others ?

This is due to the .dockerignore file as the design of this Docker image is restricted to allow some pip packages to be installed afterwards.

This can be extended but there weren’t a strong need for it and people who want/need this can alter the Dockerfile and other things like you did here.

and what is the best practice to trust self-signed certificate during docker image building?

The best way would be to:

  1. Not use self-signed certificates (as you can get valid certs from https://letsencrypt.org now)
  2. Use a reverse-proxy, such as Nginx, to terminate the TLS connection and use the certificates there instead of baking them into the Sentry image.
3

Hi,

Finally we have found following as a solution for Dockerfile modification, as we only need to enable the trust of our root CA :slightly_smiling_face:

COPY . /usr/src/sentry

RUN echo "-----BEGIN CERTIFICATE-----" >> /usr/local/share/ca-certificates/nsb-root.crt \
  && echo "MIIKeDCCBmCgAwIBAgIJALRR92P5zX1PMA0GCSqGSIb3DQEBCwUAMIHIMQswCQYD" >> /usr/local/share/ca-certificates/nsb-root.crt \
  && echo "#############################################" >> /usr/local/share/ca-certificates/nsb-root.crt \
  && echo "ALL OTHERS INTO CRT FILE" >> /usr/local/share/ca-certificates/nsb-root.crt \
  && echo "##########################################" >> /usr/local/share/ca-certificates/nsb-root.crt \
  && echo "-----END CERTIFICATE-----" >> /usr/local/share/ca-certificates/nsb-root.crt \
  && update-ca-certificates
1 Like