Merge pull request #9990 from MxMurshed/uia/1112-add-support-for-self-signed-certificate

NicoletaComan · web-flow · commit c0650e6633f9 · 2025-08-18T15:28:48.000+02:00
Add support for self signed certificate
diff --git a/content/en/docs/marketplace/platform-supported-content/services/private-service.md b/content/en/docs/marketplace/platform-supported-content/services/private-service.md
@@ -62,16 +62,19 @@ The following artifact is available for installing the service:
 
 Follow these steps to install the service through Docker:
 
-1. Pull the Docker image using the following command: `docker pull private-cloud.registry.mendix.com/mendix/document-generation-service:<tag>`.
-2. Run the Docker container using the following command: `docker run -p 8085:8085 --name document-generation private-cloud.registry.mendix.com/mendix/document-generation-service:<tag>`. This creates a Docker container, which is exposed on port `8085`.    
+{{% alert color="info" %}}
+If you are using a self-signed certificate in your environment, skip these steps and refer to the [Importing a Self-Signed Certificate](#importing-a-self-signed-certificate) section.
+{{% /alert %}}
 
-The `<tag>` component must be replaced with the version of the service, such as `1.0.0`. You can find all versions and their release notes in the [Private PDF Document Generation Service Release Notes](/releasenotes/marketplace/private-service/).
+1. Pull the Docker image using the following command: `docker pull private-cloud.registry.mendix.com/mendix/document-generation-service:latest`.
+2. Run the Docker container using the following command: `docker run -p 8085:8085 --name document-generation private-cloud.registry.mendix.com/mendix/document-generation-service:latest`. This creates a Docker container, which is exposed on port `8085`.    
+
+    The `latest` tag allows you to use the most recent released version of the service. If you want to use a specific version, replace `latest` with the desired version, such as `1.0.0`. You can find all versions and their release notes in the [Private PDF Document Generation Service Release Notes](/releasenotes/marketplace/private-service/).
 
 #### Setting Up a Health Check (Optional)
 
 If you need to set up a health check, you can use the health check endpoint included in the service, at the `/health` path. This endpoint returns the `200` status code and the `OK` message if everything is working correctly.
 
-
 ### Isolation
 
 Requests share the same container resources, which has the following implications:
@@ -115,7 +118,71 @@ When using Docker to run the image, add the configuration using the provided env
 |----------------------|---------------|-------------|
 | `MAX_DOCUMENT_SIZE` | `25000000` (25 MB) | The maximum size for PDF documents generated using the service. When a PDF exceeds this file size, the request is aborted. |
 | `MAX_PAGE_RENDERING_TIME` | `30000` (30 seconds) | The maximum time to wait for the page to finish loading and rendering. If loading the page exceeds this time, a [Wait for Content](/appstore/modules/document-generation/#wait-for-content-exception) exception is sent to the module. |
-| `ACCEPT_INSECURE_CERTIFICATES` | `false` | <p> Allows the use of untrusted certificates, such as when using self-signed certificates.</p> <p> **Warning:** This disables certificate validation, and allows the use of invalid certificates. Be aware of any resulting security risks.</p> |
+| `ACCEPT_INSECURE_CERTIFICATES` | `false` | <p> Allows the use of untrusted certificates, such as when using self-signed certificates.</p> <p> **Warning:** This disables certificate validation, and allows the use of invalid certificates. Be aware of any resulting security risks. Alternatively, for better security, you can provide your certificates to the service. For details, refer to the [Importing a Self-Signed Certificate](#importing-a-self-signed-certificate) section.</p>|
+
+### Importing a Self-Signed Certificate {#importing-a-self-signed-certificate}
+
+If your environment uses a self-signed certificate, you can extend the PDF Document Generation service Docker image to trust this certificate. This is required for secure communication when the service needs to connect to endpoints using your custom Certificate Authority (CA).
+
+Follow these steps:
+
+1. Create a Docker file, such as `Dockerfile.import-cert`, with the following content:
+
+    ```dockerfile
+    FROM private-cloud.registry.mendix.com/mendix/document-generation-service:latest
+
+    ARG CERT_FILE_PATH
+
+    RUN echo "Check if CERT_FILE_PATH is provided"
+    RUN if [ -z "$CERT_FILE_PATH" ]; then \
+            echo "ERROR: CERT_FILE_PATH build argument is required"; \
+            exit 1; \
+        fi
+
+    RUN echo "Copy certificate as DocumentGeneration_CA"
+    COPY ${CERT_FILE_PATH} /usr/local/share/ca-certificates/DocumentGeneration_CA.crt
+
+    USER root
+
+    RUN apk add nss-tools && update-ca-certificates
+
+    USER 1000
+        
+    RUN mkdir -p "$HOME/.pki/nssdb"
+    RUN certutil -d sql:$HOME/.pki/nssdb -N --empty-password
+
+    RUN echo "Add DocumentGeneration_CA to certificate store"
+    RUN certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n "DocumentGeneration_CA" -i /usr/local/share/ca-certificates/DocumentGeneration_CA.crt
+
+    RUN echo "Verify certificate installation"
+    RUN if certutil -d sql:$HOME/.pki/nssdb -L | grep -q "DocumentGeneration_CA"; then \
+            echo "Certificate setup completed!"; \
+        else \
+            echo "ERROR: DocumentGeneration_CA not found in certificate store" && exit 1; \
+        fi
+
+    WORKDIR /prod/docgen-worker-private
+
+    CMD [ "node", "bundle.js" ]
+    ```
+
+1. Build the Docker image with your certificate:
+
+    ```bash
+    docker build -f Dockerfile.import-cert --build-arg CERT_FILE_PATH=<path-to-your-ca.crt> -t document-generation-service-with-cert .
+    ```
+
+1. Run the container as usual:
+
+    ```bash
+    docker run -p 8085:8085 --name document-generation-service-with-cert
+    ```
+
+    Replace `<path-to-your-ca.crt>` with the path to your self-signed certificate's `.crt` or `.pem` file.
+
+This approach ensures that the service trusts your self-signed certificate for secure connections.
+
+If you only need the service to trust this self-signed certificate, Mendix recommends setting the `ACCEPT_INSECURE_CERTIFICATES` variable to `false`.
 
 ## Configuring your Mendix Apps
 
