Certificate permissions with Docker

#1

What am I missing with permissions for the certificate when using Docker?

The issue is " FATAL Error: EACCES: permission denied, open ‘/usr/share/kibana/config/server.pem’"

Because Kibana runs as user 1000 in the container I can’t just a volume mount/binding for the certificate files, without either giving all users read access to the key or creating a matching uid with root access on the host.

I looked at using Docker secrets, but without a swarm I can’t change the mode of the file.

I could build the cert files into the image, but that doesn’t seem very 12 factor.

Thanks

#2

For clarification, I’m trying to use the host cert/key stored in /etc/pki/tls/…

This is a site requirement that I have the host cert for all applications.

I see that both elasticsearch and kibana are running as user ID 1000.
uid=1000(elasticsearch) gid=1000(elasticsearch) groups=1000(elasticsearch),0(root)
uid=1000(kibana) gid=1000(kibana) groups=1000(kibana)

I thought 0:1000 mode 0640 would work. As it keeps root on the host with access, and gives the Docker apps read access.

Kibana works, but elasticsearch says it can’t read it.