Use also self-signed certificate

[RomanaBW]

I am new to panopticon and I love it!
I have installed and set up panopticon successfully on my local server with predefined docker image. To get my certificate added to the os ca-store, I use an own Dockerfile, which works well.
For my Joomla installations at the web panopticon also works well (I have an issue with Akeeba Backup, but this probably will give another thread).
But for my local installations I can't connect:

` GuzzleHttp\Exception\RequestException

cURL error 60: SSL certificate problem: unable to get local issuer certificate (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://www.dev4.nil/api/index.php/v1/extensions

/var/www/html/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php:211

#0 /var/www/html/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php(158): GuzzleHttp\Handler\CurlFactory::createRejection()
#1 /var/www/html/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php(110): GuzzleHttp\Handler\CurlFactory::finishError()`

I can curl my local sites from the command line of the php container, I can check my certificate for the sites with openssl, but panopticon throws this error, also if I add "curl.cainfo" to the php.ini, which I also copy in the Dockerfile.

What do I do wrong?

Kindly
Romana

[nikosdion]

Panopticon uses its own CA root file (cacert.pem) through the composer/ca-bundle dependency. This is deliberate; there are many live servers out there with an out-of-date, or misconfigured (at least in PHP) CA root. Providing our own file is the only way around this problem, and something that both Joomla! and WordPress already do.

You can always override that file in the the user_code directory. Just place your custom CA root file into user_code/cacert.pem. This file must have with all the root CAs you want to trust, i.e. both public and self-signed ones.

The way I have been managing this is that I have created my own root and intermediate CA which signs my self-signed certificates. The user_code/cacert.pem file is the one downloaded from cURL with my root CA concatenated to it at the bottom. This way, I can access my local test sites in Panopticon without a problem.

Another way to solve this problem – the way I am handling local sites the past few months – is set up a real domain with an A record of 127.0.0.1, a AAAA record of ::1, and a catch-all CNAME (*.example.com) pointing back to the base domain. You can then issue valid, signed TLS certificates e.g. using Let's Encrypt with the domain validation method. It's more convoluted to use with Docker as you need to have a TLS terminator and proxy running on localhost (NginX can do both) to proxy container ports to various subdomains of your custom domain, and each container needs to be configured to expect to be contacted through its assigned subdomain.

Whichever way you use, it works. I have tried both :)

[RomanaBW]

Thank You for Your quick and very helpful answer! I have learned a lot.

I also have my own root and intermediate CA to sign my certs for the local domains. I prefer the first method, seems not as complicated as the second one. Playing with DNS is not my strength :(

This also clarifies, why there is a cert file at Joomla, which is updated here and then.