Certs: Custom internal CA

In on-premise deployments where your API's SSL certs are signed by an internal certificate authority (CA), Retool will refuse to connect over HTTPS to your APIs by default. This is because the Retool server has not been configured to trust your internal CA.

To configure Retool to trust your internal CA define the NODE_EXTRA_CA_CERTS to be equal to the absolute path of your certificate files. The file should consist of one or more trusted certificates in PEM format.

Docker Compose

Under the Docker Compose deployment method, you will want to store the certificate as a file on the filesystem, and then mount that file to the api container. Below is an example of how that might look:

Create as subdirectory in your retool-onpremise repo called ca and save your internal certificate in PEM format to ./ca/cert.pem

Then configure the following files as below

docker-compose.yml
version: '2'
services:
  api:
    image: tryretool/backend:latest
    env_file: ./docker.env
    ...
    volumes:
      - ./ssh:/retool_backend/autogen_ssh_keys
      - ./ca:/retool_backend/ca

  db-connector:
    ...
    volumes:
      - ./ca:/retool_backend/ca
docker.env
NODE_ENV=production
...
NODE_EXTRA_CA_CERTS=/retool_backend/ca/cert.pem
...

Kubernetes, and other deployment infrastructures

The process will be extremely similar to the Docker Compose configuration, but depending on your infra you may have different options. For example, with Kubernetes you can use Kubernetes Secrets, with Heroku you may choose to extend the Dockerfile to copy the cert into the container.


Did this page help you?