Nightly: add self signed cert for Keycloak

RotasOpera

I am currently in the process of evaluating running mailcow for my company’s internal mailing system.
Since we are running Keycloak for SSO I installed mailcow nightly.

Here’s my issue: my company uses self signed CA/certs through a reverse proxy for internal resources. So now when I enter all the details under Identity providers mailcow is unable to connect using the keycloak URL (for example https://auth.foo.bar) due to an untrusted cert.
If I enter the IP😛ort of the keycloak instance the connection test succeeds but login is not possible ofc.

I probably will be able to manually add my cert to a persistent volume somehow, but I wanted to ask if there is a better solution I’m not aware of.

FreddleSpl0it

There is just the option to ignore SSL verification errors. If you want to use your own CA i think it could be done by mounting the cert into the php-fpm Container under /etc/ssl/certs.

You can test it with a docker-compose.override.yml

services:

    php-fpm-mailcow:
      volumes:
        - /path-to-your-ca/ca-cert.pem:/etc/ssl/certs/ca-cert.pem

If the Keycloak Connection Test with Ignore SSL Errors failed, then update your nightly instance.
The Keycloak Connection Test was ignoring this option. I added it mailcow/mailcow-dockerized55dcae4

Please also see the latest blog post https://mailcow.email/posts/2025/nightly-progress/

RotasOpera

Thank you for the thorough reply! Looks like I am getting into mailcow at the perfect time!

Your advice with the docker-compose.override.yml was pretty much spot on, except I still had to run update-ca-certificatesinside the container, to rebuild the CA bundle. I believe making to make this persist I have to add an entrypoint to the override, but for testing this will do!

For completeness sake my steps to figuring this out were to docker exec into the php-fpm container and run curl -v https://keycloak.url.tld

* IPv6: (none)
* IPv4: IP
*   Trying IP:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* closing connection #0
curl: (60) SSL peer certificate or SSH remote key was not OK
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.

After running update-ca-certificates I got a correct Handshake.
Thank you very much.