I'm trying to figure out how to handle SSL when my containers need to communicate with each other. While mkcert works well for local development, I've run into an issue where the container OS doesn't recognize the mkcert CA. This results in failed HTTPS calls between containers. I could script the CA certificate installation into the containers, but that would require custom Dockerfiles for every container that needs SSL, and I'm concerned about the security risks of allowing arbitrary certificates in production. Any thoughts or recommendations on how to best manage SSL in this multi-container setup?
3 Answers
It really depends on your use case! Sometimes it makes more sense to use HTTPS internally, especially when working with protocols like OpenID Connect. If you want to keep your internal connections simple, consider setting up your own internal CA to issue certificates where needed. Just make sure to deploy the public cert to the CA trust store to keep it secure against external modifications.
As someone else mentioned, many people don't encrypt internal traffic. However, if you're looking to implement zero-trust principles or just for fun, you can obtain a free wildcard cert from Let's Encrypt for internal-only subdomains. By the way, AWS has recently made their certificates available for use outside of their services, but be aware it’s not free.
I generally skip using SSL for local communication altogether. Instead, I set up a reverse proxy that handles SSL termination, and within my containers, I just use plain HTTP. Works just fine for me!
I get that! Most of my apps don't need the extra layer, but I have to connect to a third-party service using gRPC, and it won’t allow insecure connections.