[GH-ISSUE #1253] Self signed CA #844

New issue

Closed

opened 2026-02-25 23:43:47 +03:00 by kerem · 2 comments

kerem commented

2026-02-25 23:43:47 +03:00

Owner

Originally created by @D3an1el on GitHub (Jan 7, 2026).
Original GitHub issue: https://github.com/healthchecks/healthchecks/issues/1253

I receive the following error when using gotify with self signed certificate

I have tried the following workaround issue 1033, i also have added:

REQUESTS_CA_BUNDLE=/certificates/ca-chain-bundle.cert.pem to env

    volumes:
	- ./certificates:/certificates

Originally created by @D3an1el on GitHub (Jan 7, 2026). Original GitHub issue: https://github.com/healthchecks/healthchecks/issues/1253 Hi I receive the following error when using gotify with self signed certificate <img width="2454" height="312" alt="Image" src="https://github.com/user-attachments/assets/50dce9ec-0b04-4398-bc92-ea29d74b806f" /> I have tried the following workaround [issue 1033](https://github.com/healthchecks/healthchecks/issues/1033#issuecomment-2256107411), i also have added: `REQUESTS_CA_BUNDLE=/certificates/ca-chain-bundle.cert.pem` to env ``` volumes: - ./certificates:/certificates ```

kerem closed this issue

2026-02-25 23:43:47 +03:00

kerem commented

2026-02-25 23:43:47 +03:00

Author

Owner

@cuu508 commented on GitHub (Jan 8, 2026):

Healthchecks uses libcurl for making HTTP(S) requests. It does not use the requests library, therefore setting REQUESTS_CA_BUNDLE would have no effect.

curl and libcurl validates certificates and refuses to continue if a certificate cannot be validated. It is possible to turn off validation, but doing so is strongly discouraged in curl docs.

To make curl accept a self-hosted certificate, one solution would be to add it to system's CA store. The Healthchecks docker image is based on Debian, and on Debian systems, IIUC, the procedure is to:

drop the self-signed certificate in /usr/local/share/ca-certificates
run update-ca-certificates

I have not thoroughly researched this, perhaps there's a simpler way.

Workaround 1

As an experiment I generated a self-hosted certificate and built a Docker image which starts with the official image, but adds the above two steps. The dockerfile I used was:

FROM healthchecks/healthchecks:v3.13

COPY cert.pem /usr/local/share/ca-certificates/experiment-selfsigned.crt
USER root
RUN update-ca-certificates
USER hc

Using this image, Healthchecks was able to make webhook requests to a webserver using the self-hosted certificate.

Workaround 2

Another approach is instead of building a custom image, mount the certificate inside a container running the standard image. In docker-compose.yml:

    volumes:
        - /tmp/cert.pem:/usr/local/share/ca-certificates/experiment-selfsigned.crt:ro

And then run update-ca-certificates:

docker compose exec -u root web update-ca-certificates

After some fumbling, this worked for me too.

@cuu508 commented on GitHub (Jan 8, 2026): Healthchecks uses libcurl for making HTTP(S) requests. It does not use the requests library, therefore setting REQUESTS_CA_BUNDLE would have no effect. curl and libcurl validates certificates and refuses to continue if a certificate cannot be validated. It is possible to turn off validation, but [doing so is strongly discouraged in curl docs](https://curl.se/docs/sslcerts.html). To make curl accept a self-hosted certificate, one solution would be to add it to system's CA store. The Healthchecks docker image is based on Debian, and on Debian systems, IIUC, the procedure is to: * drop the self-signed certificate in `/usr/local/share/ca-certificates` * run `update-ca-certificates` I have not thoroughly researched this, perhaps there's a simpler way. **Workaround 1** As an experiment I generated a self-hosted certificate and built a Docker image which starts with the official image, but adds the above two steps. The dockerfile I used was: ``` FROM healthchecks/healthchecks:v3.13 COPY cert.pem /usr/local/share/ca-certificates/experiment-selfsigned.crt USER root RUN update-ca-certificates USER hc ``` Using this image, Healthchecks was able to make webhook requests to a webserver using the self-hosted certificate. **Workaround 2** Another approach is instead of building a custom image, mount the certificate inside a container running the standard image. In docker-compose.yml: ``` volumes: - /tmp/cert.pem:/usr/local/share/ca-certificates/experiment-selfsigned.crt:ro ``` And then run update-ca-certificates: ``` docker compose exec -u root web update-ca-certificates ``` After some fumbling, this worked for me too.

kerem commented

2026-02-25 23:43:47 +03:00

Author

Owner

@D3an1el commented on GitHub (Jan 10, 2026):

workaround 2 worked

volumes:
  - ./certificates/cacert.crt:/usr/local/share/ca-certificates/cacert.crt:ro
  - ./certificates/intermediate.cacert.crt:/usr/local/share/ca-certificates/intermediate.cacert.crt:ro

docker compose exec -u root web update-ca-certificates

maybe it should be added to docs ?

@D3an1el commented on GitHub (Jan 10, 2026): workaround 2 worked ``` volumes: - ./certificates/cacert.crt:/usr/local/share/ca-certificates/cacert.crt:ro - ./certificates/intermediate.cacert.crt:/usr/local/share/ca-certificates/intermediate.cacert.crt:ro ``` & `docker compose exec -u root web update-ca-certificates` maybe it should be added to docs ?