Feature Request: Add Configuration Support For Custom CA Certificates In Container Builds

by ADMIN 90 views

===========================================================

Introduction

In today's corporate network environments, protocol schemes based deployment can fail due to network inspection of TLS, which can lead to untrusted certificate verification failures. This issue arises during the build process, where downloaded web content is proxied, and the TLS certificate verification fails due to an untrusted certificate. To improve the usability of this tool within common corporate network environments, we propose adding a configuration mechanism to allow users to specify custom CA certificates that should be trusted by the container building container images for protocol scheme execution.

Use Case / Motivation

Protocol schemes based deployment could fail if operated from within a network where network inspection of TLS is happening. This happens at the build process where downloaded web content being proxied and the TLS certificate verification fails due to untrusted certificate. This feature would improve the usability of this tool within common corporate network environments.

Example Scenario

Let's consider an example scenario where the tool fails to build a Docker image due to untrusted certificate verification.

thv run npx://@modelcontextprotocol/server-sequential-thinking
1:28PM INF Processed cmdArgs: []
1:28PM INF Building Docker image for npx package: @modelcontextprotocol/server-sequential-thinking
1:28PM INF Building image toolhivelocal/npx--modelcontextprotocol-server-sequential-thinking:20250504132808 from context directory /var/folders/ly/x518gxkn27d54qvwyzjd9pjc0000gn/T/toolhive-docker-build-3226472955
Step 1/7 : FROM node:22-alpine
 ---> 18e4fe4d4cd5
Step 2/7 : RUN apk add --no-cache git
 ---> Running in 3ad390fb3e76
fetch https://dl-cdn.alpinelinux.org/alpine/v3.21/main/aarch64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.21/community/aarch64/APKINDEX.tar.gz
206D409DFFFF0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2103:
WARNING: fetching https://dl-cdn.alpinelinux.org/alpine/v3.21/main: Permission denied
206D409DFFFF0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2103:
WARNING: fetching https://dl-cdn.alpinelinux.org/alpine/v3.21/community: Permission denied
ERROR: unable to select packages:
  git (no such package):
    required by: world[git]
Error: failed to process protocol scheme: failed to build Docker image: build error: The command '/bin/sh -c apk add --no-cache git' returned a non-zero code: 1: failed to process build output: build error: The command '/bin/sh -c apk add --no-cache git' returned a non-zero code: 1

Current Limitation

Currently, the tool lacks a mechanism to inject or configure custom CA certificates to its trust store. This limitation prevents users from specifying custom certificates that should be trusted by the container building container images for protocol scheme execution.

Requested Feature

To address this limitation, we propose adding a configuration mechanism to allow users to specify custom CA certificates that should be trusted by the container building container images for protocol scheme execution. This feature would improve the usability of this tool within common corporate network environments.

Configuration Mechanism

The configuration mechanism should allow users to specify custom CA certificates in a secure and convenient manner. This can be achieved through a variety of methods, such as:

  • Command-line flags: Users can specify custom CA certificates as command-line flags, which can be easily integrated into the tool's existing command-line interface.
  • Configuration files: Users can specify custom CA certificates in configuration files, which can be easily managed and updated.
  • Environment variables: Users can specify custom CA certificates as environment variables, which can be easily set and unset.

Example Configuration

Here's an example configuration that demonstrates how to specify custom CA certificates using command-line flags:

thv run --ca-certificates=/path/to/ca-certificates npx://@modelcontextprotocol/server-sequential-thinking

In this example, the --ca-certificates flag specifies the path to the custom CA certificates that should be trusted by the container building container images for protocol scheme execution.

Conclusion

In conclusion, adding a configuration mechanism to allow users to specify custom CA certificates that should be trusted by the container building container images for protocol scheme execution would improve the usability of this tool within common corporate network environments. We propose implementing this feature through a variety of methods, such as command-line flags, configuration files, and environment variables. By providing a secure and convenient way to specify custom CA certificates, we can ensure that users can successfully build and deploy container images in a variety of network environments.

===========================================================

Introduction

In our previous article, we discussed the feature request to add configuration support for custom CA certificates in container builds. This feature would improve the usability of the tool within common corporate network environments. In this article, we will address some frequently asked questions related to this feature request.

Q&A

Q: What is the purpose of adding configuration support for custom CA certificates in container builds?

A: The purpose of adding configuration support for custom CA certificates in container builds is to improve the usability of the tool within common corporate network environments. This feature would allow users to specify custom CA certificates that should be trusted by the container building container images for protocol scheme execution.

Q: How would this feature be implemented?

A: This feature would be implemented through a variety of methods, such as command-line flags, configuration files, and environment variables. Users would be able to specify custom CA certificates in a secure and convenient manner.

Q: What are the benefits of this feature?

A: The benefits of this feature include:

  • Improved usability of the tool within common corporate network environments
  • Ability to specify custom CA certificates that should be trusted by the container building container images for protocol scheme execution
  • Secure and convenient way to specify custom CA certificates

Q: How would this feature affect the security of the tool?

A: This feature would not affect the security of the tool. In fact, it would improve the security of the tool by allowing users to specify custom CA certificates that should be trusted by the container building container images for protocol scheme execution.

Q: Would this feature be compatible with existing container images?

A: Yes, this feature would be compatible with existing container images. Users would be able to specify custom CA certificates that should be trusted by the container building container images for protocol scheme execution, without affecting the existing container images.

Q: How would this feature be updated and maintained?

A: This feature would be updated and maintained through regular software updates and patches. Users would be notified of any updates and patches, and would be able to easily update and maintain the feature.

Q: Would this feature be available in the next release of the tool?

A: Yes, this feature would be available in the next release of the tool. We are committed to delivering this feature to our users as soon as possible.

Conclusion

In conclusion, adding configuration support for custom CA certificates in container builds is a crucial feature that would improve the usability of the tool within common corporate network environments. We hope that this Q&A article has addressed some of the frequently asked questions related to this feature request. If you have any further questions or concerns, please do not hesitate to contact us.

Additional Resources

For more information on this feature request, please refer to the following resources:

We hope that this article has provided you with a better understanding of the feature request and its benefits. If you have any further questions or concerns, please do not hesitate to contact us.