From 3bf702447b0c23510cf095737b7ad3e7a9f09279 Mon Sep 17 00:00:00 2001
From: Ivan Gabaldon <igabaldon@inetol.net>
Date: Tue, 23 Sep 2025 21:57:29 +0200
Subject: [PATCH] [enh] container: custom certificates (#5238)

Let container instance administrators to add custom certificates:

  https://docs.searxng.org/admin/installation-docker.html#custom-certificates

Closes https://github.com/searxng/searxng/issues/5206
---
 container/base-builder.yml         |  1 +
 container/base.yml                 |  2 ++
 container/entrypoint.sh            |  2 ++
 docs/admin/installation-docker.rst | 11 +++++++++++
 4 files changed, 16 insertions(+)

diff --git a/container/base-builder.yml b/container/base-builder.yml
index 0b16e4be7..84f7e95aa 100644
--- a/container/base-builder.yml
+++ b/container/base-builder.yml
@@ -16,6 +16,7 @@ work-dir: /usr/local/searxng/
 
 environment:
   PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+  SSL_CERT_DIR: /etc/ssl/certs
   SSL_CERT_FILE: /etc/ssl/certs/ca-certificates.crt
   HISTFILE: /dev/null
 
diff --git a/container/base.yml b/container/base.yml
index aa1c7e9f9..f78abab85 100644
--- a/container/base.yml
+++ b/container/base.yml
@@ -3,6 +3,7 @@ contents:
     - https://dl-cdn.alpinelinux.org/alpine/edge/main
   packages:
     - alpine-baselayout
+    - ca-certificates
     - ca-certificates-bundle
     - musl-locales
     - musl-locales-lang
@@ -27,6 +28,7 @@ accounts:
 
 environment:
   PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+  SSL_CERT_DIR: /etc/ssl/certs
   SSL_CERT_FILE: /etc/ssl/certs/ca-certificates.crt
   HISTFILE: /dev/null
   CONFIG_PATH: /etc/searxng
diff --git a/container/entrypoint.sh b/container/entrypoint.sh
index 2e45bca21..10844f115 100755
--- a/container/entrypoint.sh
+++ b/container/entrypoint.sh
@@ -127,4 +127,6 @@ volume_handler "$DATA_PATH"
 # Check for files
 config_handler "$SEARXNG_SETTINGS_PATH" "/usr/local/searxng/searx/settings.yml"
 
+update-ca-certificates
+
 exec /usr/local/searxng/.venv/bin/granian searx.webapp:app
diff --git a/docs/admin/installation-docker.rst b/docs/admin/installation-docker.rst
index c947b8b57..20fa95262 100644
--- a/docs/admin/installation-docker.rst
+++ b/docs/admin/installation-docker.rst
@@ -165,6 +165,17 @@ Container internal paths (don't modify unless you know what you're doing):
 - ``$SEARXNG_SETTINGS_PATH``: Path to the SearXNG settings file (default: ``$CONFIG_PATH/settings.yml``)
 - ``$DATA_PATH``: Path to the SearXNG data directory (default: ``/var/cache/searxng``)
 
+.. _Container custom certificates:
+
+Custom certificates
+===================
+
+You can mount ``/usr/local/share/ca-certificates/`` folder to add/remove
+additional certificates as needed.
+
+They will be available on container (re)start or when running
+``update-ca-certificates`` in the container shell.
+
 .. _Container custom images:
 
 Custom images