How to add a personal CA

[pippo73]

Hi all,
I would like to use AL behind a caddy proxy. For this I need to the container my CA in order to make it work, but I've tried all I could and when I add it it break the ssl part inside so it works not :-(
could someone help me with this?

[gab-dev-7]

Based on your issue, it sounds like it is trying to make secure requests—likely to itself or another service behind your Caddy proxy—but failing because it doesn't trust your custom Certificate Authority (CA).

When you simply "add" the certificate to the container, it often isn't enough because Python applications usually use their own internal certificate store (via the certifi package) rather than the system's default store.

You need to mount your CA file into the container and then tell Python explicitly to use it using environment variables.

In your docker-compose.yml, update the server (backend) service:

services:
  server:
    # ... existing config ...
    volumes:
      # 1. Mount your custom CA certificate (change path as needed)
      - /path/to/your/custom-ca.crt:/usr/local/share/ca-certificates/custom-ca.crt:ro
    environment:
      # 2. Tell Python requests to trust this specific CA bundle
      - REQUESTS_CA_BUNDLE=/usr/local/share/ca-certificates/custom-ca.crt
      - SSL_CERT_FILE=/usr/local/share/ca-certificates/custom-ca.crt
      # 3. Ensure your Caddy domain is trusted
      - CSRF_TRUSTED_ORIGINS=https://your.domain.com

REQUESTS_CA_BUNDLE: This specific variable tells the Python requests library (used by AdventureLog) to ignore its built-in list and trust your specific CA file instead.
CSRF_TRUSTED_ORIGINS: Since you are running behind Caddy with SSL, Django needs to know that https://your.domain.com is a trusted source, otherwise you will hit "CSRF Failed" errors on login.

Note on Caddy:
If you are just using Caddy to expose AdventureLog to the internet, ensure Caddy is proxying to the HTTP port of the container (usually port 8000 internally), not an internal HTTPS port. Caddy handles the SSL termination, so the connection between Caddy and the container can remain plain HTTP to avoid complexity.