| title | Custom TLS certificates | ||
|---|---|---|---|
| description | Using custom TLS certificates with LocalStack | ||
| template | doc | ||
| sidebar |
|
import { Tabs, TabItem } from '@astrojs/starlight/components';
LocalStack sometimes performs on-demand fetching of resources from the public internet. This requires that LocalStack is able to access public URLs. If there is a proxy server in your network that uses a non-standard TLS certificate, LocalStack will not be able to download any files on demand. You may see errors in the logs relating to TLS such as "unable to get local issuer certificate".
There are three options when running LocalStack:
They all can be summarised as:
- get your proxy's custom certificate into the system certificate store, and
- configure
requeststo use the custom certificate, - configure
curlto use the custom certificate, and - configure
node.jsto use the custom certificate.
If you run LocalStack in a docker container (which includes using the CLI, docker, docker-compose, or helm), to include a custom TLS root certificate a new docker image should be created.
Create a Dockerfile containing the following commands:
FROM localstack/localstack:latest
# or if using the pro image:
FROM localstack/localstack-pro:latest
COPY <your custom certificate.crt> /usr/local/share/ca-certificates/cert-bundle.crt
RUN update-ca-certificates
ENV CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
ENV REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
ENV NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crtand build the image:
docker build -t <image name> .:::tip
Certificate files must end in .crt to be included in the system certificate store.
If your certificate file ends with .pem, you can rename it to end in .crt.
:::
LocalStack now needs to be configured to use this custom image. The workflow is different depending on how you start localstack.
```bash IMAGE_NAME=It is recommended to create a boot init hook.
Create a directory on your local system that includes
- the certificate you wish to copy, and
- the following shell script:
#!/bin/bash
set -euo pipefail
cp /etc/localstack/init/boot.d/<your certificate file>.crt /usr/local/share/ca-certificates
update-ca-certificatesThen run LocalStack with the environment variables
REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt, andCURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt, andNODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt
and follow the instructions fn the init hooks documentation for configuring LocalStack to use the hook directory as a boot hook.
On linux the custom certificate should be added to your ca-certificates bundle.
For example on Debian based systems (as root):
# cp <your custom certificate.crt> /usr/local/share/ca-certificates
# update-ca-certificates
Then run LocalStack with the environment variables REQUESTS_CA_BUNDLE, CURL_CA_BUNDLE, and `NODE_EXTRA_CA_CERTS``:
NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt \
CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt \
REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt \
localstack start --hostOn macOS the custom certificate should be added to your keychain. See this Apple support article for more information.
Then run LocalStack with the environment variables REQUESTS_CA_BUNDLE, CURL_CA_BUNDLE, and `NODE_EXTRA_CA_CERTS``:
NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt \
CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt \
REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt \
localstack start --hostCurrently host mode does not work with Windows. If you are using WSL2 you should follow the Linux steps above.