starred/karakeep

Fork 0

mirror of https://github.com/karakeep-app/karakeep.git synced 2026-04-26 00:16:03 +03:00

[GH-ISSUE #1191] Bug: Adding private root CA not working #780

New issue

Open

opened 2026-03-02 11:52:41 +03:00 by kerem · 1 comment

kerem commented

2026-03-02 11:52:41 +03:00

Owner

Originally created by @ihaettypo on GitHub (Apr 3, 2025).
Original GitHub issue: https://github.com/karakeep-app/karakeep/issues/1191

Describe the Bug

For some self-hosted webpages often private CA is used (self-signed certs). Hoarder is not able to crawl due to Error: net::ERR_CERT_AUTHORITY_INVALID unless specifcially added / passed in the private ca root to the docker.

One workaround is mentioned here: https://github.com/hoarder-app/hoarder/issues/500 however it's not working — Hoarder is not respecting this CA store it seems.

Steps to Reproduce

mount int the ca - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
pass in via the environment variable NODE_EXTRA_CA_CERTS: /etc/ssl/certs/ca-certificates.crt
try add url with https generated from the private ca
getting Error: net::ERR_CERT_AUTHORITY_INVALID

Expected Behaviour

Be able to pick up the ca passed in and successfully crawl the self-signed website

Screenshots or Additional Context

No response

Device Details

No response

Exact Hoarder Version

v0.23.0

Have you checked the troubleshooting guide?

I have checked the troubleshooting guide and I haven't found a solution to my problem

Originally created by @ihaettypo on GitHub (Apr 3, 2025). Original GitHub issue: https://github.com/karakeep-app/karakeep/issues/1191 ### Describe the Bug For some self-hosted webpages often private CA is used (self-signed certs). Hoarder is not able to crawl due to `Error: net::ERR_CERT_AUTHORITY_INVALID` unless specifcially added / passed in the private ca root to the docker. One workaround is mentioned here: https://github.com/hoarder-app/hoarder/issues/500 however it's not working — Hoarder is not respecting this CA store it seems. ### Steps to Reproduce 1. mount int the ca `- /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro` 2. pass in via the environment variable `NODE_EXTRA_CA_CERTS: /etc/ssl/certs/ca-certificates.crt` 3. try add url with https generated from the private ca 4. getting `Error: net::ERR_CERT_AUTHORITY_INVALID` ### Expected Behaviour Be able to pick up the ca passed in and successfully crawl the self-signed website ### Screenshots or Additional Context _No response_ ### Device Details _No response_ ### Exact Hoarder Version v0.23.0 ### Have you checked the troubleshooting guide? - [x] I have checked the troubleshooting guide and I haven't found a solution to my problem

kerem added the

bug

status/approved

pri/low

labels

2026-03-02 11:52:41 +03:00

kerem commented

2026-03-02 11:52:42 +03:00

Author

Owner

@jasonmhite commented on GitHub (Aug 19, 2025):

Likewise here, can't crawl any sites signed with my personal certificate authority, even after adding the certificate to the trust store in the container.

I suspect the issue is with the chrome container used for crawling, It also doesn't trust the certificate. I tried adding my certificate likewise to the alpine certificate store in that service as well but Chrome seems to ignore it as I still get an error.

chrome-1       | [0819/201700.439327:WARNING:runtime_features.cc(728)] AttributionReportingCrossAppWeb cannot be enabled in this configuration. Use --enable-features=ConversionMeasurement,AttributionReportingCrossAppWeb in addition.
chrome-1       | [0819/201700.642368:ERROR:cert_verify_proc_builtin.cc(878)] CertVerifyProcBuiltin for libreddit.containerbot.home failed:
chrome-1       | ----- Certificate i=0 (ST=XX,C=US,CN=REDACTED.home) -----
chrome-1       | ERROR: No matching issuer found
chrome-1       |
chrome-1       |
chrome-1       | [0819/201700.642836:ERROR:ssl_client_socket_impl.cc(970)] handshake failed; returned -1, SSL error code 1, net_error -202
chrome-1       | [0819/201700.653203:WARNING:runtime_features.cc(728)] AttributionReportingCrossAppWeb cannot be enabled in this configuration. Use --enable-features=ConversionMeasurement,AttributionReportingCrossAppWeb in addition.

@jasonmhite commented on GitHub (Aug 19, 2025): Likewise here, can't crawl any sites signed with my personal certificate authority, even after adding the certificate to the trust store in the container. I suspect the issue is with the chrome container used for crawling, It also doesn't trust the certificate. I tried adding my certificate likewise to the alpine certificate store in that service as well but Chrome seems to ignore it as I still get an error. ``` chrome-1 | [0819/201700.439327:WARNING:runtime_features.cc(728)] AttributionReportingCrossAppWeb cannot be enabled in this configuration. Use --enable-features=ConversionMeasurement,AttributionReportingCrossAppWeb in addition. chrome-1 | [0819/201700.642368:ERROR:cert_verify_proc_builtin.cc(878)] CertVerifyProcBuiltin for libreddit.containerbot.home failed: chrome-1 | ----- Certificate i=0 (ST=XX,C=US,CN=REDACTED.home) ----- chrome-1 | ERROR: No matching issuer found chrome-1 | chrome-1 | chrome-1 | [0819/201700.642836:ERROR:ssl_client_socket_impl.cc(970)] handshake failed; returned -1, SSL error code 1, net_error -202 chrome-1 | [0819/201700.653203:WARNING:runtime_features.cc(728)] AttributionReportingCrossAppWeb cannot be enabled in this configuration. Use --enable-features=ConversionMeasurement,AttributionReportingCrossAppWeb in addition. ```

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/karakeep#780

No description provided.

Rows
Columns