If any of your services use self-signed certificates for SSL such as Minio, or the authentication provider then the Outline docker container needs to be made aware of the root certificate authority in order to verify the certificate. You can do this by providing the certificate at runtime or by bundling it with a custom docker image.

Runtime configuration

To have Outline trust your self-signed root certificate, you must bind mount it to the container and inform Node where to find it. For example, in your docker-compose.yml file, bind mount the CA certificate file in the volumes section, e.g:

  outline:
    image: docker.getoutline.com/outlinewiki/outline:latest
    env_file: ./docker.env
    ports:
      - "3000:3000"
    volumes:
      - storage-data:/var/lib/outline/data
      - /etc/ssl/myca.crt:/etc/ssl/myca.crt:ro
    depends_on:
      - postgres
      - redis

Then, add NODE_EXTRA_CA_CERTS to your environment, with the path to the CA cert:

NODE_EXTRA_CA_CERTS=/etc/ssl/myca.crt

Custom docker image

To bundle your self-signed root certificate you can build your own Docker image based on the Outline image. The Dockerfile would look similar to the following – note that update-ca-certificates must be installed and ran to install the certificate in the correct location.

FROM outlinewiki/outline:latest

USER root

COPY ./myCA.pem /usr/local/share/ca-certificates
RUN update-ca-certificates

With this Dockerfile you can create your own image by running the following command in the same folder:

docker build . --tag outline-custom:latest

Tell Node/Outline to use the custom certificates with the following environment variable:

NODE_OPTIONS=--use-openssl-ca

Disable verification

Instead, you can disable verification of all TLS certificates by setting the following environment variable. Note that this isn’t advised as it opens your installation up to man-in-the-middle attacks, you may decide this is an acceptable risk depending on your hosting environment.

NODE_TLS_REJECT_UNAUTHORIZED="0"