Certificates and internal certificate authorities

Learn how to use an internal certificate authority (CA) with Retool.

If your API's SSL certificates are signed by an internal CA, Retool refuses to connect over HTTPs unless you configure Retool to trust your CA. You do this by setting NODE_EXTRA_CA_CERTS to the absolute path of your certificate files. The files need to include one or more trusted certificates in PEM format.

Configure Docker Compose

With Docker Compose deployments, you need to store the certificate as a file on the filesystem, and then mount that file to the api container.

  1. Create a subdirectory in your retool-onpremise repo named ca.
  2. Save your internal certificate in PEM format to ./ca/cert.pem.
  3. Configure the following docker-compose.yml and docker.env files.
version: '2'
services:
api:
image: tryretool/backend:latest
env_file: ./docker.env
...
volumes:
    - ./ssh:/retool_backend/autogen_ssh_keys
- ./ca:/retool_backend/ca

db-connector:
...
volumes:
  - ./ca:/retool_backend/ca
NODE_ENV=production
...
NODE_EXTRA_CA_CERTS=/retool_backend/ca/cert.pem
...

Configure Kubernetes and other deployment infrastructures

The process for Kubernetes and other deployment options are similar to Docker Compose, but you might have different options depending your infrastructure. For example, with Kubernetes you can use Kubernetes Secrets, and with Heroku you can extend the Dockerfile to copy the certificate into the container.


Did this page help you?