This guide explains how to configure Checkmate to trust custom Certificate Authorities (CAs) when running in Docker, particularly useful for internal/private CAs like Smallstep.
Certificate Authorities (CAs) are entities that issue and manage digital certificates. While public CAs (like Let's Encrypt, DigiCert) are trusted by default in most systems, private or internal CAs (like those issued by Smallstep, internal PKI systems) require explicit trust configuration.
When Checkmate monitors HTTPS endpoints with certificates from private CAs, it may show them as "DOWN" due to certificate validation failures, even if the service is actually accessible.
The simplest approach is to mount your custom CA certificate and configure Node.js to trust it using the NODE_EXTRA_CA_CERTS environment variable.
Add a volume mount for your CA certificate and set the environment variable:
services:
server:
image: uptime_server:latest
restart: always
ports:
- "52345:52345"
env_file:
- server.env
environment:
NODE_EXTRA_CA_CERTS: /certs/custom-ca.pem
volumes:
- ./certs:/certs:ro
depends_on:
- redis
- mongodbCreate a certs directory in your Docker Compose project root:
docker/dev/
├── docker-compose.yaml
├── certs/
│ └── custom-ca.pem
└── ...
For more comprehensive trust configuration, you can create a derived Dockerfile that installs your CA at the OS level.
Create docker/dev/server-custom-ca.Dockerfile:
FROM node:20-alpine
# Install ca-certificates for Alpine
RUN apk add --no-cache ca-certificates
WORKDIR /app
COPY ./server/package*.json ./
RUN npm install
COPY ./server/ ./
# Copy your custom CA certificate
COPY ./certs/custom-ca.crt /usr/local/share/ca-certificates/
# Update CA certificates
RUN update-ca-certificates
EXPOSE 52345
CMD ["node", "src/index.js"]Create docker/dev/docker-compose.custom-ca.yaml:
services:
server:
build:
context: .
dockerfile: server-custom-ca.Dockerfile
restart: always
ports:
- "52345:52345"
env_file:
- server.env
depends_on:
- redis
- mongodbRun with: docker-compose -f docker-compose.yaml -f docker-compose.custom-ca.yaml up
Since Checkmate uses Alpine Linux as the base image, you need to install the ca-certificates package:
# Install ca-certificates for Alpine
RUN apk add --no-cache ca-certificates
# Copy and update CA certificates
COPY ./certs/custom-ca.crt /usr/local/share/ca-certificates/
RUN update-ca-certificatesIf you're using Smallstep as your internal CA, you can export the root CA certificate:
# Export the root CA certificate
step certificate inspect --format pem step-ca/root_ca.crt > custom-ca.pem
# Or if you have the CA URL configured
step certificate inspect --format pem $(step path)/certs/root_ca.crt > custom-ca.pem- Copy the exported
custom-ca.pemto yourdocker/dev/certs/directory - Use either the Node-level or OS-level approach above
- Restart your Checkmate server container
- Private CAs: Only trust CAs from your organization's PKI infrastructure
- Self-signed certificates: Consider using proper CA infrastructure instead
- Certificate validation: Ensure your CA certificates are valid and not expired
- Access control: Limit access to the CA certificate files in production
Test if your CA is trusted by the container:
# Enter the running container
docker exec -it <container_name> sh
# Check if the CA is in the trust store
ls -la /usr/local/share/ca-certificates/
cat /etc/ssl/certs/ca-certificates.crt | grep -A 5 -B 5 "YOUR_CA_NAME"- Permission denied: Ensure the CA certificate file has proper read permissions
- Certificate format: Use PEM format (.pem, .crt) for best compatibility
- Container restart: Always restart the container after adding new CA certificates
- Path issues: Verify the certificate path in your volume mounts
Here's a complete example for a Smallstep CA setup. This demonstrates both the baseline failure (expected) and the custom CA success:
-
Start Checkmate without custom CA trust:
cd docker/dev docker-compose up -d -
Test connection to internal HTTPS endpoint:
# This should fail with TLS error (unknown CA) docker-compose exec server node -e " const https = require('https'); https.get('https://your-internal-site.com', res => { console.log('STATUS:', res.statusCode); }).on('error', e => { console.error('ERR:', e.message); }); "
Expected result: TLS error due to unknown CA
-
Export Smallstep Root CA:
step certificate inspect --format pem step-ca/root_ca.crt > docker/dev/certs/smallstep-root-ca.pem -
Update docker-compose.yaml with custom CA trust:
services: server: environment: NODE_EXTRA_CA_CERTS: /certs/smallstep-root-ca.pem volumes: - ./certs:/certs:ro
-
Restart with custom CA:
docker-compose down docker-compose -f docker-compose.yaml -f docker-compose.custom-ca-example.yaml up -d
-
Test the same connection:
# This should now succeed docker-compose exec server node -e " const https = require('https'); https.get('https://your-internal-site.com', res => { console.log('STATUS:', res.statusCode); }).on('error', e => { console.error('ERR:', e.message); }); "
Expected result: HTTP 200 OK
- Baseline: TLS failure proves default behavior (unknown CA)
- Custom CA: TLS success proves custom CA trust is working
- Both tests must pass to confirm the feature works correctly
Your Checkmate server should now trust certificates issued by your Smallstep CA, allowing you to monitor internal HTTPS endpoints without disabling SSL validation.