From b8656e1df1fcf1deb68482a96318846e3da295c3 Mon Sep 17 00:00:00 2001
From: netsho <67299616+netsho@users.noreply.github.com>
Date: Mon, 5 Jan 2026 22:06:09 +0100
Subject: Document mounting own CA on FreshRSS container (#8406)

closes https://github.com/FreshRSS/FreshRSS/issues/8405

- Add documentation on how to trust own CA that issued self-signed certificate as authentik signing key
- Add example in Docker Example

How to test the feature manually:

1. Create your own CA
2. Issue a certificate
3. Use the issued certificate as a signing-key in authentik when configuring FreshRSS provider
4. Add created CA on host's CA store by running `update-ca-certificates`
5. Mount the `/etc/ssl/certs/ca-certificates.crt` file on FreshRSS container
6. Start the container
7. Navigate to FreshRSS in the browser
8. Authentik login form should be displayed and work as normal.
---
 docs/en/admins/16_OpenID-Connect-Authentik.md | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'docs/en')

diff --git a/docs/en/admins/16_OpenID-Connect-Authentik.md b/docs/en/admins/16_OpenID-Connect-Authentik.md
index 2b3c21edd..5afa3ea0f 100644
--- a/docs/en/admins/16_OpenID-Connect-Authentik.md
+++ b/docs/en/admins/16_OpenID-Connect-Authentik.md
@@ -26,6 +26,7 @@ Without the port number, Authentik will give a `redirect_url` error.
 You will need to choose a signing key.
 If you don’t have one, generate one under *System > Certificates*.
 The default `authentik Self-Signed Certificate` will also work.
+If using a self-signed certificate issued by your own CA, you will need to mount the following file to the FreshRSS container: `/etc/ssl/certs/ca-certificates.crt:ro`. *Note: The `ca-certificates.crt` need to be mounted as read-only `:ro` to avoid any unwanted modification.*
 
 Under *Advanced Protocol Settings > Scopes* you will see that email, openid and profile are selected by default.
 These are the scopes you will set later in the docker config file.
@@ -125,6 +126,7 @@ services:
     volumes:
       - freshrss-data:/var/www/FreshRSS/data
       - freshrss-extensions:/var/www/FreshRSS/extensions
+	  - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro # If using self-signed authentik signing-key issued by your own CA
     # # Portainer defines the env file as show below, but not needed if using the default `.env`
     # env_file:
     #   - ../stack.env
-- 
cgit v1.2.3