From 6ae22c9cbfd1239154106761a4115428114e0f84 Mon Sep 17 00:00:00 2001 From: Simon Walker Date: Tue, 13 Dec 2022 13:10:55 +0000 Subject: [PATCH 01/12] Add documentation for custom SSL certificates --- .../en/references/custom-ssl-certificates.md | 98 +++++++++++++++++++ 1 file changed, 98 insertions(+) create mode 100644 content/en/references/custom-ssl-certificates.md diff --git a/content/en/references/custom-ssl-certificates.md b/content/en/references/custom-ssl-certificates.md new file mode 100644 index 0000000000..dca48df44c --- /dev/null +++ b/content/en/references/custom-ssl-certificates.md @@ -0,0 +1,98 @@ +--- +title: Custom SSL certificates +weight: 99 +description: > + How to use custom SSL certificates with LocalStack +--- + +# Background + +LocalStack sometimes performs on-demand fetching of resources from the public internet. +This requires that LocalStack is able to access public URLs. +If there is a proxy server in your network that uses a non-standard SSL certificate, LocalStack will not be able to download any files on demand. +You may see errors in the logs relating to SSL such as "unable to get local issuer certificate". + +# Solution + +If you run LocalStack in a docker container (which includes using [the CLI]({{< ref "/getting-started#localstack-cli" >}}), [docker]({{< ref "/getting-started/#docker" >}}), [docker-compose]({{< ref "/getting-started/#docker-compose" >}}), [cockpit]({{< ref "/getting-started/#localstack-cockpit" >}}) or [helm]({{< ref "/getting-started/#helm" >}})), to include a custom SSL root certificate a new docker image should be created. +If you run LocalStack in [host mode]({{< ref "/contributing/setup#host-mode" >}}) the setup may be more complex, and will be dependent on your system. + +## Creating a custom docker image + +Create a `Dockerfile` containing the following commands: + +```docker +FROM localstack/localstack:latest +# or if using the pro image: +FROM localstack/localstack-pro:latest + +COPY /usr/local/share/ca-certificates/cert-bundle.crt +RUN update-ca-certificates +ENV REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt +``` + +and build the image: + +{{< command >}} +$ docker build -t . +{{< / command >}} + +*Note: if your certificate file ends with `.pem`, you can rename it to `.crt`* + +## Starting LocalStack with the custom image + +LocalStack now needs to be configured to use this custom image. The workflow is different depending on how you start localstack. + +### Via the CLI + +You can use the `IMAGE_NAME` environment variable to specify the name of this new image: + +{{< command >}} +$ IMAGE_NAME= localstack start +{{< / command >}} + +### Via docker + +Use `` in place of your normal LocalStack container image: + +{{< command >}} +$ docker run +{{< / command >}} + +### Via docker-compose + +Update your compose file to use the newly built image: + +```yaml +services: + localstack: + image: + # the rest of your configuration +``` + +## Custom SSL certificates with host mode + +### Linux + +On linux the custom certificate should be added to your `ca-certificates` bundle. For example on Debian based systems (as root): + +{{< command >}} +# cp /usr/local/share/ca-certificates +# update-ca-certificates +{{< / command >}} + +Then run LocalStack with the environment variable `REQUESTS_CA_BUNDLE`: + +{{< command >}} +$ REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt localstack start --host +{{< / command >}} + +### macos + +On macos the custom certificate should be added to your keychain. See [this Apple support article](https://support.apple.com/en-gb/guide/keychain-access/kyca2431/mac) for more information. + +Then run LocalStack with the environment variable `REQUESTS_CA_BUNDLE`: + +{{< command >}} +$ REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt localstack start --host +{{< / command >}} From b4bedd9d85f917fad6ab1d6be72f60eae7a2e1b8 Mon Sep 17 00:00:00 2001 From: Simon Walker Date: Tue, 13 Dec 2022 16:16:10 +0000 Subject: [PATCH 02/12] typo: localstck --- .../custom-local-endpoint/custom-local-endpoint.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/user-guide/web-application/custom-local-endpoint/custom-local-endpoint.md b/content/en/user-guide/web-application/custom-local-endpoint/custom-local-endpoint.md index 3135408fb0..24bb255b12 100644 --- a/content/en/user-guide/web-application/custom-local-endpoint/custom-local-endpoint.md +++ b/content/en/user-guide/web-application/custom-local-endpoint/custom-local-endpoint.md @@ -12,7 +12,7 @@ You can configure the local endpoint URL under which LocalStack is accessible fr ## Connecting to a LocalStack instance on a different machine -To ensure that the Web user interface can connect with your running LocalStck instance, you would need to configure the endpoint URL so that the server's SSL certificate matches the hostname/IP address of the endpoint URL. This situation arises when users configure the endpoint URL to be something like `https://myhost:4566` or use an IP address like `https://1.2.3.4:4566`. Websites with an `https://...` URL can only request other endpoints using HTTPS (i.e., not on `http://`). Additionally, while requesting an HTTPS page, the SSL certificate must match the hostname (i.e., `localhost.localstack.cloud` in our case). +To ensure that the Web user interface can connect with your running LocalStack instance, you would need to configure the endpoint URL so that the server's SSL certificate matches the hostname/IP address of the endpoint URL. This situation arises when users configure the endpoint URL to be something like `https://myhost:4566` or use an IP address like `https://1.2.3.4:4566`. Websites with an `https://...` URL can only request other endpoints using HTTPS (i.e., not on `http://`). Additionally, while requesting an HTTPS page, the SSL certificate must match the hostname (i.e., `localhost.localstack.cloud` in our case). To navigate this, we recommend you create a local TCP proxy server. The proxy server could listen on `127.0.0.1:4566` and forward all requests to your target endpoint where the LocalStack instance is running. You could leave the configuration in the Web user interface to use the default value, `https://localhost.localstack.cloud:4566`. We recommend [simpleproxy](https://manpages.ubuntu.com/manpages/trusty/man1/simpleproxy.1.html) or [proxy.py](https://github.com/abhinavsingh/proxy.py) as a way to implement this. From e692312901ee5719b8070c72cf8bab324946ef28 Mon Sep 17 00:00:00 2001 From: Simon Walker Date: Tue, 13 Dec 2022 16:28:01 +0000 Subject: [PATCH 03/12] Ignore localhost.localstack.cloud link in updated doc Signed-off-by: Simon Walker --- .github/workflows/markdown.links.config.json | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/markdown.links.config.json b/.github/workflows/markdown.links.config.json index 655efc73d2..96136098d8 100644 --- a/.github/workflows/markdown.links.config.json +++ b/.github/workflows/markdown.links.config.json @@ -26,6 +26,9 @@ }, { "pattern": "http://localstack:4566" + }, + { + "pattern": "(.*)localhost.localstack.cloud(.*)" } ], "httpHeaders": [ From b5bfc7945e55859956a94c1ab2e1803dad6c6221 Mon Sep 17 00:00:00 2001 From: Simon Walker Date: Wed, 14 Dec 2022 11:13:29 +0000 Subject: [PATCH 04/12] Document init hooks --- .../en/references/custom-ssl-certificates.md | 51 +++++++++++++++---- 1 file changed, 40 insertions(+), 11 deletions(-) diff --git a/content/en/references/custom-ssl-certificates.md b/content/en/references/custom-ssl-certificates.md index dca48df44c..d3d340e7ec 100644 --- a/content/en/references/custom-ssl-certificates.md +++ b/content/en/references/custom-ssl-certificates.md @@ -14,11 +14,22 @@ You may see errors in the logs relating to SSL such as "unable to get local issu # Solution -If you run LocalStack in a docker container (which includes using [the CLI]({{< ref "/getting-started#localstack-cli" >}}), [docker]({{< ref "/getting-started/#docker" >}}), [docker-compose]({{< ref "/getting-started/#docker-compose" >}}), [cockpit]({{< ref "/getting-started/#localstack-cockpit" >}}) or [helm]({{< ref "/getting-started/#helm" >}})), to include a custom SSL root certificate a new docker image should be created. -If you run LocalStack in [host mode]({{< ref "/contributing/setup#host-mode" >}}) the setup may be more complex, and will be dependent on your system. +There are three options when running LocalStack: + +1. [creating a custom Docker image]({{< ref "#creating-a-custom-docker-image" >}}), +2. [using init hooks]({{< ref "#custom-ssl-certificates-with-init-hooks" >}}) or +3. [when running in host mode]({{< ref "#custom-ssl-certificates-with-host-mode" >}}). + +They all can be summarised as: + +1. get your proxy's custom certificate into the system certificate store, and +2. configure [`requests`](https://pypi.python.org/pypi/requests) to use the custom certificate. ## Creating a custom docker image +If you run LocalStack in a docker container (which includes using [the CLI]({{< ref "/getting-started#localstack-cli" >}}), [docker]({{< ref "/getting-started/#docker" >}}), [docker-compose]({{< ref "/getting-started/#docker-compose" >}}), [cockpit]({{< ref "/getting-started/#localstack-cockpit" >}}) or [helm]({{< ref "/getting-started/#helm" >}})), to include a custom SSL root certificate a new docker image should be created. +If you run LocalStack in [host mode]({{< ref "/contributing/setup#host-mode" >}}) the setup may be more complex, and will be dependent on your system. + Create a `Dockerfile` containing the following commands: ```docker @@ -28,7 +39,7 @@ FROM localstack/localstack-pro:latest COPY /usr/local/share/ca-certificates/cert-bundle.crt RUN update-ca-certificates -ENV REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt +ENV CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt ``` and build the image: @@ -39,11 +50,11 @@ $ docker build -t . *Note: if your certificate file ends with `.pem`, you can rename it to `.crt`* -## Starting LocalStack with the custom image +### Starting LocalStack with the custom image LocalStack now needs to be configured to use this custom image. The workflow is different depending on how you start localstack. -### Via the CLI +#### Via the CLI You can use the `IMAGE_NAME` environment variable to specify the name of this new image: @@ -51,7 +62,7 @@ You can use the `IMAGE_NAME` environment variable to specify the name of this ne $ IMAGE_NAME= localstack start {{< / command >}} -### Via docker +#### Via docker Use `` in place of your normal LocalStack container image: @@ -59,7 +70,7 @@ Use `` in place of your normal LocalStack container image: $ docker run {{< / command >}} -### Via docker-compose +#### Via docker-compose Update your compose file to use the newly built image: @@ -70,6 +81,24 @@ services: # the rest of your configuration ``` +## Custom SSL certificates with init hooks + +It is recommended to create a `boot` init hook. Create a directory on your local system that includes + +* the certificate you wish to copy, and +* the following shell script: + +```bash +#!/bin/bash + +set -euo pipefail + +cp /etc/localstack/init/boot.d/.crt /usr/local/share/ca-certificates +update-ca-certificates +``` + +Then run LocalStack with the environment variable `CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt`, and follow the instructions fn the [init hooks documentation]({{< ref "init-hooks" >}}) for configuring LocalStack to use the hook directory as a `boot` hook. + ## Custom SSL certificates with host mode ### Linux @@ -81,18 +110,18 @@ On linux the custom certificate should be added to your `ca-certificates` bundle # update-ca-certificates {{< / command >}} -Then run LocalStack with the environment variable `REQUESTS_CA_BUNDLE`: +Then run LocalStack with the environment variable `CURL_CA_BUNDLE`: {{< command >}} -$ REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt localstack start --host +$ CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt localstack start --host {{< / command >}} ### macos On macos the custom certificate should be added to your keychain. See [this Apple support article](https://support.apple.com/en-gb/guide/keychain-access/kyca2431/mac) for more information. -Then run LocalStack with the environment variable `REQUESTS_CA_BUNDLE`: +Then run LocalStack with the environment variable `CURL_CA_BUNDLE`: {{< command >}} -$ REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt localstack start --host +$ CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt localstack start --host {{< / command >}} From a0f52491244fe409e6b80bf4b64bf8f04f46b97d Mon Sep 17 00:00:00 2001 From: Simon Walker Date: Wed, 14 Dec 2022 11:56:20 +0000 Subject: [PATCH 05/12] swap CURL_CA_BUNDLE -> REQUESTS_CA_BUNDLE We perform checks if the user has set this, and enforce SSL verification so we should probably ask them to use that. --- content/en/references/custom-ssl-certificates.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/content/en/references/custom-ssl-certificates.md b/content/en/references/custom-ssl-certificates.md index d3d340e7ec..c7d9f52b5d 100644 --- a/content/en/references/custom-ssl-certificates.md +++ b/content/en/references/custom-ssl-certificates.md @@ -39,7 +39,7 @@ FROM localstack/localstack-pro:latest COPY /usr/local/share/ca-certificates/cert-bundle.crt RUN update-ca-certificates -ENV CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt +ENV REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt ``` and build the image: @@ -97,7 +97,7 @@ cp /etc/localstack/init/boot.d/.crt /usr/local/share/ca-c update-ca-certificates ``` -Then run LocalStack with the environment variable `CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt`, and follow the instructions fn the [init hooks documentation]({{< ref "init-hooks" >}}) for configuring LocalStack to use the hook directory as a `boot` hook. +Then run LocalStack with the environment variable `REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt`, and follow the instructions fn the [init hooks documentation]({{< ref "init-hooks" >}}) for configuring LocalStack to use the hook directory as a `boot` hook. ## Custom SSL certificates with host mode @@ -110,18 +110,18 @@ On linux the custom certificate should be added to your `ca-certificates` bundle # update-ca-certificates {{< / command >}} -Then run LocalStack with the environment variable `CURL_CA_BUNDLE`: +Then run LocalStack with the environment variable `REQUESTS_CA_BUNDLE`: {{< command >}} -$ CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt localstack start --host +$ REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt localstack start --host {{< / command >}} ### macos On macos the custom certificate should be added to your keychain. See [this Apple support article](https://support.apple.com/en-gb/guide/keychain-access/kyca2431/mac) for more information. -Then run LocalStack with the environment variable `CURL_CA_BUNDLE`: +Then run LocalStack with the environment variable `REQUESTS_CA_BUNDLE`: {{< command >}} -$ CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt localstack start --host +$ REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt localstack start --host {{< / command >}} From 52387b55e035b9cb21017b300833531e215a871d Mon Sep 17 00:00:00 2001 From: Simon Walker Date: Wed, 14 Dec 2022 12:27:09 +0000 Subject: [PATCH 06/12] Document windows host mode with WSL2 --- content/en/references/custom-ssl-certificates.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/content/en/references/custom-ssl-certificates.md b/content/en/references/custom-ssl-certificates.md index c7d9f52b5d..3dd9d7aef9 100644 --- a/content/en/references/custom-ssl-certificates.md +++ b/content/en/references/custom-ssl-certificates.md @@ -125,3 +125,7 @@ Then run LocalStack with the environment variable `REQUESTS_CA_BUNDLE`: {{< command >}} $ REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt localstack start --host {{< / command >}} + +### Windows + +Currently host mode does not work with Windows. If you are using WSL2 you should follow the [Linux]({{< ref "#linux" >}}) steps above. From c54005400c13579a665bd1ae026f7d9d28023513 Mon Sep 17 00:00:00 2001 From: Simon Walker Date: Wed, 14 Dec 2022 13:38:15 +0000 Subject: [PATCH 07/12] Document CURL_CA_BUNDLE as well --- .../en/references/custom-ssl-certificates.md | 24 +++++++++++++------ 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/content/en/references/custom-ssl-certificates.md b/content/en/references/custom-ssl-certificates.md index 3dd9d7aef9..dcb6f07d72 100644 --- a/content/en/references/custom-ssl-certificates.md +++ b/content/en/references/custom-ssl-certificates.md @@ -1,6 +1,8 @@ --- title: Custom SSL certificates weight: 99 +tags: +- ssl description: > How to use custom SSL certificates with LocalStack --- @@ -28,7 +30,6 @@ They all can be summarised as: ## Creating a custom docker image If you run LocalStack in a docker container (which includes using [the CLI]({{< ref "/getting-started#localstack-cli" >}}), [docker]({{< ref "/getting-started/#docker" >}}), [docker-compose]({{< ref "/getting-started/#docker-compose" >}}), [cockpit]({{< ref "/getting-started/#localstack-cockpit" >}}) or [helm]({{< ref "/getting-started/#helm" >}})), to include a custom SSL root certificate a new docker image should be created. -If you run LocalStack in [host mode]({{< ref "/contributing/setup#host-mode" >}}) the setup may be more complex, and will be dependent on your system. Create a `Dockerfile` containing the following commands: @@ -39,6 +40,7 @@ FROM localstack/localstack-pro:latest COPY /usr/local/share/ca-certificates/cert-bundle.crt RUN update-ca-certificates +ENV CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt ENV REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt ``` @@ -48,7 +50,10 @@ and build the image: $ docker build -t . {{< / command >}} -*Note: if your certificate file ends with `.pem`, you can rename it to `.crt`* +{{< alert title="Information" color="primary">}} +**Note**: Certificate files **must** end in `.crt` to be included in the system certificate store. +If your certificate file ends with `.pem`, you can rename it to end in `.crt`. +{{< / alert>}} ### Starting LocalStack with the custom image @@ -97,7 +102,12 @@ cp /etc/localstack/init/boot.d/.crt /usr/local/share/ca-c update-ca-certificates ``` -Then run LocalStack with the environment variable `REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt`, and follow the instructions fn the [init hooks documentation]({{< ref "init-hooks" >}}) for configuring LocalStack to use the hook directory as a `boot` hook. +Then run LocalStack with the environment variables + +* `REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt`, and +* `CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt`, and + +and follow the instructions fn the [init hooks documentation]({{< ref "init-hooks" >}}) for configuring LocalStack to use the hook directory as a `boot` hook. ## Custom SSL certificates with host mode @@ -110,20 +120,20 @@ On linux the custom certificate should be added to your `ca-certificates` bundle # update-ca-certificates {{< / command >}} -Then run LocalStack with the environment variable `REQUESTS_CA_BUNDLE`: +Then run LocalStack with the environment variables `REQUESTS_CA_BUNDLE` and `CURL_CA_BUNDLE`: {{< command >}} -$ REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt localstack start --host +$ CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt localstack start --host {{< / command >}} ### macos On macos the custom certificate should be added to your keychain. See [this Apple support article](https://support.apple.com/en-gb/guide/keychain-access/kyca2431/mac) for more information. -Then run LocalStack with the environment variable `REQUESTS_CA_BUNDLE`: +Then run LocalStack with the environment variables `REQUESTS_CA_BUNDLE` and `CURL_CA_BUNDLE`: {{< command >}} -$ REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt localstack start --host +$ CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt localstack start --host {{< / command >}} ### Windows From b9599e40c33a28a00ac3dee13def190e5c441a24 Mon Sep 17 00:00:00 2001 From: Simon Walker Date: Wed, 14 Dec 2022 13:47:56 +0000 Subject: [PATCH 08/12] include tab pane for running localstack --- .../en/references/custom-ssl-certificates.md | 32 ++++++------------- content/en/references/init-hooks.md | 2 +- 2 files changed, 11 insertions(+), 23 deletions(-) diff --git a/content/en/references/custom-ssl-certificates.md b/content/en/references/custom-ssl-certificates.md index dcb6f07d72..99e612d309 100644 --- a/content/en/references/custom-ssl-certificates.md +++ b/content/en/references/custom-ssl-certificates.md @@ -59,32 +59,20 @@ If your certificate file ends with `.pem`, you can rename it to end in `.crt`. LocalStack now needs to be configured to use this custom image. The workflow is different depending on how you start localstack. -#### Via the CLI - -You can use the `IMAGE_NAME` environment variable to specify the name of this new image: - -{{< command >}} -$ IMAGE_NAME= localstack start -{{< / command >}} - -#### Via docker - -Use `` in place of your normal LocalStack container image: - -{{< command >}} -$ docker run -{{< / command >}} - -#### Via docker-compose - -Update your compose file to use the newly built image: - -```yaml +{{< tabpane >}} +{{< tab header="CLI" lang="bash" >}} +IMAGE_NAME= localstack start +{{< /tab >}} +{{< tab header="Docker" lang="bash" >}} +docker run +{{< /tab >}} +{{< tab header="docker-compose.yml" lang="yml" >}} services: localstack: image: # the rest of your configuration -``` +{{< /tab >}} +{{< / tabpane >}} ## Custom SSL certificates with init hooks diff --git a/content/en/references/init-hooks.md b/content/en/references/init-hooks.md index 779a990265..174bcffe9e 100644 --- a/content/en/references/init-hooks.md +++ b/content/en/references/init-hooks.md @@ -139,7 +139,7 @@ services: volumes: - "/path/to/init-aws.sh:/etc/localstack/init/ready.d/init-aws.sh" # ready hook - "${LOCALSTACK_VOLUME_DIR:-./volume}:/var/lib/localstack" - - "/var/run/docker.sock:/var/run/docker.sock" + - "/vr/run/docker.sock:/var/run/docker.sock" {{< /tab >}} {{< tab header="CLI" lang="bash" >}} # DOCKER_FLAGS are additional parameters to the `docker run` command of localstack start From c9759fd2958e7c291acd331faa3a9ede15c0d900 Mon Sep 17 00:00:00 2001 From: Simon Walker Date: Wed, 14 Dec 2022 14:44:51 +0000 Subject: [PATCH 09/12] Link from init hook examples to custom SSL certificates --- content/en/references/init-hooks.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/en/references/init-hooks.md b/content/en/references/init-hooks.md index 174bcffe9e..39b2ab14be 100644 --- a/content/en/references/init-hooks.md +++ b/content/en/references/init-hooks.md @@ -146,3 +146,5 @@ services: DOCKER_FLAGS='-v /path/to/init-aws.sh:/etc/localstack/init/ready.d/init-aws.sh' localstack start {{< /tab >}} {{< /tabpane >}} + +Another use for init hooks can be seen when [adding custom SSL certificates to LocalStack]({{< ref "custom-ssl-certificates#custom-ssl-certificates-with-init-hooks" >}}). From 3510a687ad6e958ac1c11257396a8c34c7a11ebd Mon Sep 17 00:00:00 2001 From: Simon Walker Date: Wed, 14 Dec 2022 16:42:26 +0000 Subject: [PATCH 10/12] Rename SSL -> TLS --- ...-certificates.md => custom-tls-certificates.md} | 14 +++++++------- content/en/references/init-hooks.md | 2 +- 2 files changed, 8 insertions(+), 8 deletions(-) rename content/en/references/{custom-ssl-certificates.md => custom-tls-certificates.md} (92%) diff --git a/content/en/references/custom-ssl-certificates.md b/content/en/references/custom-tls-certificates.md similarity index 92% rename from content/en/references/custom-ssl-certificates.md rename to content/en/references/custom-tls-certificates.md index 99e612d309..4646436014 100644 --- a/content/en/references/custom-ssl-certificates.md +++ b/content/en/references/custom-tls-certificates.md @@ -1,18 +1,18 @@ --- -title: Custom SSL certificates +title: Custom TLS certificates weight: 99 tags: - ssl description: > - How to use custom SSL certificates with LocalStack + How to use custom TLS certificates with LocalStack --- # Background LocalStack sometimes performs on-demand fetching of resources from the public internet. This requires that LocalStack is able to access public URLs. -If there is a proxy server in your network that uses a non-standard SSL certificate, LocalStack will not be able to download any files on demand. -You may see errors in the logs relating to SSL such as "unable to get local issuer certificate". +If there is a proxy server in your network that uses a non-standard TLS certificate, LocalStack will not be able to download any files on demand. +You may see errors in the logs relating to TLS such as "unable to get local issuer certificate". # Solution @@ -29,7 +29,7 @@ They all can be summarised as: ## Creating a custom docker image -If you run LocalStack in a docker container (which includes using [the CLI]({{< ref "/getting-started#localstack-cli" >}}), [docker]({{< ref "/getting-started/#docker" >}}), [docker-compose]({{< ref "/getting-started/#docker-compose" >}}), [cockpit]({{< ref "/getting-started/#localstack-cockpit" >}}) or [helm]({{< ref "/getting-started/#helm" >}})), to include a custom SSL root certificate a new docker image should be created. +If you run LocalStack in a docker container (which includes using [the CLI]({{< ref "/getting-started#localstack-cli" >}}), [docker]({{< ref "/getting-started/#docker" >}}), [docker-compose]({{< ref "/getting-started/#docker-compose" >}}), [cockpit]({{< ref "/getting-started/#localstack-cockpit" >}}) or [helm]({{< ref "/getting-started/#helm" >}})), to include a custom TLS root certificate a new docker image should be created. Create a `Dockerfile` containing the following commands: @@ -74,7 +74,7 @@ services: {{< /tab >}} {{< / tabpane >}} -## Custom SSL certificates with init hooks +## Custom TLS certificates with init hooks It is recommended to create a `boot` init hook. Create a directory on your local system that includes @@ -97,7 +97,7 @@ Then run LocalStack with the environment variables and follow the instructions fn the [init hooks documentation]({{< ref "init-hooks" >}}) for configuring LocalStack to use the hook directory as a `boot` hook. -## Custom SSL certificates with host mode +## Custom TLS certificates with host mode ### Linux diff --git a/content/en/references/init-hooks.md b/content/en/references/init-hooks.md index 39b2ab14be..7656fd1094 100644 --- a/content/en/references/init-hooks.md +++ b/content/en/references/init-hooks.md @@ -147,4 +147,4 @@ DOCKER_FLAGS='-v /path/to/init-aws.sh:/etc/localstack/init/ready.d/init-aws.sh' {{< /tab >}} {{< /tabpane >}} -Another use for init hooks can be seen when [adding custom SSL certificates to LocalStack]({{< ref "custom-ssl-certificates#custom-ssl-certificates-with-init-hooks" >}}). +Another use for init hooks can be seen when [adding custom TLS certificates to LocalStack]({{< ref "custom-tls-certificates#custom-tls-certificates-with-init-hooks" >}}). From 7e30daa3373f4989bae94ea5a649bb537bed4bb7 Mon Sep 17 00:00:00 2001 From: Simon Walker Date: Wed, 14 Dec 2022 16:42:47 +0000 Subject: [PATCH 11/12] Correct typo --- content/en/references/init-hooks.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/references/init-hooks.md b/content/en/references/init-hooks.md index 7656fd1094..58df241c4b 100644 --- a/content/en/references/init-hooks.md +++ b/content/en/references/init-hooks.md @@ -139,7 +139,7 @@ services: volumes: - "/path/to/init-aws.sh:/etc/localstack/init/ready.d/init-aws.sh" # ready hook - "${LOCALSTACK_VOLUME_DIR:-./volume}:/var/lib/localstack" - - "/vr/run/docker.sock:/var/run/docker.sock" + - "/var/run/docker.sock:/var/run/docker.sock" {{< /tab >}} {{< tab header="CLI" lang="bash" >}} # DOCKER_FLAGS are additional parameters to the `docker run` command of localstack start From d0d446ae7ed4df8339a3a8afb61a9c030965142a Mon Sep 17 00:00:00 2001 From: Simon Walker Date: Wed, 14 Dec 2022 16:57:10 +0000 Subject: [PATCH 12/12] update tldr with curl updates --- content/en/references/custom-tls-certificates.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/content/en/references/custom-tls-certificates.md b/content/en/references/custom-tls-certificates.md index 4646436014..aae2f91de6 100644 --- a/content/en/references/custom-tls-certificates.md +++ b/content/en/references/custom-tls-certificates.md @@ -25,7 +25,8 @@ There are three options when running LocalStack: They all can be summarised as: 1. get your proxy's custom certificate into the system certificate store, and -2. configure [`requests`](https://pypi.python.org/pypi/requests) to use the custom certificate. +2. configure [`requests`](https://pypi.python.org/pypi/requests) to use the custom certificate, and +3. configure [`curl`](https://curl.se/) to use the custom certificate. ## Creating a custom docker image