I'm working with multiple containers that need to communicate securely with each other, and I've been using mkcert for local SSL needs. However, I've run into an issue: the container OS doesn't recognize the mkcert CA, so HTTPS calls from one container to another fail. While I could script the CA cert installation in each container's OS, this would require custom Dockerfiles for every service needing SSL, which feels risky when it comes to production. How do you all handle SSL between containers in local development?
3 Answers
I've chosen not to use SSL for local container communication. Instead, I terminate SSL at a reverse proxy and keep internal traffic plaintext. It simplifies things!
It really depends on your use case. Sometimes it's easier to use HTTPS internally, especially if you're working with OpenID Connect. You could set up an internal CA to issue certs for when SSL is necessary without complicating things too much. Just be sure to secure your runtime environment to avoid external modifications, and using an internal cert shouldn't be a major security concern.
As mentioned by another user, many don’t find the need to encrypt internal traffic. But if you follow zero-trust principles or just want to experiment, you could use Let's Encrypt to get a wildcard certificate for internal subdomains. Just remember, AWS recently made their certificates usable outside of AWS, but it does come at a cost.
That makes sense, but I do have a third-party service that uses gRPC, and it doesn't support insecure connections.