Notes/Solution on how to deal with SMTP servers with unrecognised CA

These are just my notes on how to solve the issue, on nextcloud with the official docker image, where the SMTP sever used to send notifications doesn’t have a recognised certificate authority or is self signed.

Rather that lowering your server’s security by using (IMHO) dangerous options such as:

‘allow_self_signed’ => ‘true’,
‘verify_peer’ => ‘false’,
‘verify_peer_name’ => ‘false’,

One should rather install the missing CA (third party or your own) into the docker image.

To achieve this, create a nextcloud/Dockerfile like this one

FROM nextcloud:latest

ADD TI_Trust_Technologies_OV_CA.crt /usr/local/share/ca-certificates/TI_Trust_Technologies_OV_CA.crt
RUN update-ca-certificates

Where TI_Trust_Technologies_OV_CA.crt is the name of the file containing the CA that you want to install in PEM format. The extension must be .crt.

Then reference it in your docker-compose.yml:

    #image: nextcloud:latest
    build: nextcloud

Then do a docker compose build and your image is ready to run! It should connect to your SMTP server without lowering your security posture.