Using self-signed certificates
Open Zaak supports self-signed certificates in two ways:
Hosting Open Zaak using self-signed certificates - this is the classic route where your web server/ingress is configured appropriately
Consuming services hosted with self-signed certificates - this is what this guide is about.
Open Zaak communicates with external services such as Open Notificaties, Github and
the VNG Selectielijst service. It does this using
https - using http is insecure.
When Open Zaak makes these requests, the SSL certificates are varified for their validity - e.g. expired certificates or certificates signed by an unkonwn Certificate Authority (CA) will throw errors (as they should!).
When you’re using self-signed certificates, you are essentially using an unkonwn CA, and this breaks the functionality of Open Zaak.
Adding your own certificates or CA (root) certificate
Open Zaak supports adding extra, custom certificates to the provided CA bundle. You do
this by setting an environment variable
EXTRA_VERIFY_CERTS, which must be a
comma-separated list of paths to certificate files in PEM format.
An example of such a certificate is:
Typically you would do this by (bind) mounting a volume in the Open Zaak container containing these certificates, and then specify their paths in the container, for example:
docker run \
-v /etc/ssl/certs:/certs:ro \
Of course, you will need to adapt this solution to your deployment method (Helm, Kubernetes, single-server…).