Description
Problem
Our self-hosted Docker install docs have no guidance on how to configure trust for custom or self-signed CA certificates. This is a real gap for on-prem and air-gapped deployments where customers are connecting Node-RED to internally TLS-secured services.
A common real-world example: a customer running RabbitMQ with TLS enabled using a self-signed CA. By default, Node-RED instances spun up by FlowFuse will reject connections to that broker because they have no knowledge of the private CA. There is currently no documentation explaining how to solve this.
Specifically there is no guidance on:
Injecting a custom CA into the forge container via NODE_EXTRA_CA_CERTS
Whether and how DOCKER_DRIVER_PRIVATE_CA_PATH propagates CA trust to spawned Node-RED instance containers
Recommended volume mount structure for cert files on a Linux host
Any additional steps required for full end-to-end CA trust in an air-gapped deployment
What exists today
The Docker install docs cover DNS setup, project stacks, and platform config but have no TLS or certificate trust section. Neither NODE_EXTRA_CA_CERTS nor DOCKER_DRIVER_PRIVATE_CA_PATH are mentioned anywhere in the docs. There is also no doc covering air-gapped Linux on-prem deployments as a scenario at all.
Compose file for review
https://drive.google.com/file/d/1O_Ie_b4FJN7w9MW4nc4I3pURNJBg3IHa/view?usp=sharing
Questions for engineering before writing this doc
- What is the officially supported pattern for injecting a private CA into the forge container?
- Does DOCKER_DRIVER_PRIVATE_CA_PATH propagate CA trust to spawned Node-RED instance containers?
- What value should it be set to?
- Is there anything else required for full CA trust end-to-end in an air-gapped Docker deployment?
Proposed location
New section under Installing FlowFuse > Docker install — "TLS & Custom Certificates" or "Using a Private CA"
Description
Problem
Our self-hosted Docker install docs have no guidance on how to configure trust for custom or self-signed CA certificates. This is a real gap for on-prem and air-gapped deployments where customers are connecting Node-RED to internally TLS-secured services.
A common real-world example: a customer running RabbitMQ with TLS enabled using a self-signed CA. By default, Node-RED instances spun up by FlowFuse will reject connections to that broker because they have no knowledge of the private CA. There is currently no documentation explaining how to solve this.
Specifically there is no guidance on:
Injecting a custom CA into the forge container via NODE_EXTRA_CA_CERTS
Whether and how DOCKER_DRIVER_PRIVATE_CA_PATH propagates CA trust to spawned Node-RED instance containers
Recommended volume mount structure for cert files on a Linux host
Any additional steps required for full end-to-end CA trust in an air-gapped deployment
What exists today
The Docker install docs cover DNS setup, project stacks, and platform config but have no TLS or certificate trust section. Neither NODE_EXTRA_CA_CERTS nor DOCKER_DRIVER_PRIVATE_CA_PATH are mentioned anywhere in the docs. There is also no doc covering air-gapped Linux on-prem deployments as a scenario at all.
Compose file for review
https://drive.google.com/file/d/1O_Ie_b4FJN7w9MW4nc4I3pURNJBg3IHa/view?usp=sharing
Questions for engineering before writing this doc
Proposed location
New section under Installing FlowFuse > Docker install — "TLS & Custom Certificates" or "Using a Private CA"