Relic Solution: Using custom SSL certificates for CPM communication with Horde

When using the Containerized Private Minion, you may find yourself deploying it in a network context where a private certificate authority is in use. The presence of this certificate in the certificate chain for requests to our API endpoint Horde (synthetics-horde.nr-data.net / synthetics-horde.eu01.nr-data.net) will break the chain of trust and cause the request to fail.

Since the minion is a Java application, this private CA will need to be added to the JVM trust store. This can be done by wrapping the minion docker image in a new docker image that performs this import.

  1. In a new directory, create a file called Dockerfile
  2. In the same directory create a sub directory, lets say /certs that contains the cert you want to install
  3. Edit Dockerfile with the following contents:
FROM quay.io/newrelic/synthetics-minion:latest
COPY certs /etc/certs
RUN keytool -noprompt -import -alias proxy -file /etc/certs/charles-ssl-proxying-certificate.pem -keystore /opt/jdk/jre/lib/security/cacerts -storepass changeit
  1. Build the docker image from the directory that Dockerfile is in. Lets name it minion-with-cert
$ docker build --tag minion-with-cert .

Now launch the minion as you would but with the new wrapper image (minion-with-cert). This should install the cert to the JVM trust store before the Minion Application launches:

sudo docker run -e MINION_PRIVATE_LOCATION_KEY=your-private-location-key -e "MINION_LOG_LEVEL=DEBUG" -v /tmp:/tmp:rw -v /var/run/docker.sock:/var/run/docker.sock:rw minion-with-cert
1 Like