docs: add internal CA sandbox troubleshooting#25198
Conversation
✅ Deploy Preview for docsdocker ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
dvdksn
force-pushed
the
codex/internal-ca-troubleshooting
branch
from
c0de444 to
2e69cb0
Compare
docker-agent
left a comment
docker-agent
left a comment
There was a problem hiding this comment.
Assessment: 🟢 APPROVE
The new "API calls fail with a certificate error" troubleshooting section is well-structured and technically clear. Commands use correct console language hints, YAML blocks are properly formatted, and the instructions are actionable and accurate.
No hedge words, bold misuse, marketing language, missing front matter, or broken shortcodes were found. The addition matches the existing document's scope and character.
docker-agent
left a comment
docker-agent
left a comment
There was a problem hiding this comment.
Assessment: 🟢 APPROVE
The added troubleshooting guidance for internal CA certificates is well-written and accurate. Both new sections follow Docker's documentation style guide: no AI-isms, correct command formatting, appropriate bold usage consistent with existing patterns, and accurate technical content (the kit file path mapping is correct). The content is appropriately scoped and no redirects are needed (new sections added to existing pages only).
Clarify that files/home/ maps to /home/agent/ so the cert path the install command reads is explicit. Drop NODE_EXTRA_CA_CERTS, which isn't needed once update-ca-certificates adds the cert to the system trust store and could break Node by overriding the bundle with a single file. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
docker-agent
left a comment
docker-agent
left a comment
There was a problem hiding this comment.
Assessment: 🔴 CRITICAL
One high-severity issue found in the added content: a dangling cross-reference to NODE_EXTRA_CA_CERTS in the kit example.
Removes the NODE_EXTRA_CA_CERTS note that cross-referenced the kit example. The kit example no longer sets that variable, so the reference was dangling, and the system trust store install covers the common case. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
Sorry on the lag in review. So we have 3 egress paths; forward, forward-bypass, and transparent. In transparent I believe we would see the MITM proxy (their perimeter) TLS trust make it to any HTTP stack in the sandbox. For forward-bypass will the server hello be from our proxy or theirs? So i would think we would focus this doc around detecting the specific issue so the fix can be be more precise. Makes me wonder if the transparent vs forward-bypass is going to create more ambiguity. If we can get all TLS to our proxy than our internal CA can mask their MITM CA. Another thing i am thinking about is we need to stress with folks not to override internal env vars with their MITM. If they change the SSL_CERT_FILE etc to enable their injected cert list it will break ours when in forward. |
4 participants
Summary
Add troubleshooting guidance for Docker Sandboxes users whose internal HTTPS inspection proxy requires a custom CA certificate inside the sandbox. The section covers repeatable setup with a sandbox kit, one-off setup for existing sandboxes, Node.js CA configuration, and policy log diagnostics.
Generated by Codex