github-starred/newt
2
0
Fork 0
mirror of https://github.com/fosrl/newt.git synced 2026-03-09 07:12:28 -05:00
Code Issues 21 Packages Projects Releases 25 Wiki Activity

mTLS configuration error when using Docker Compose with environment variables #58

New Issue
Closed
opened 2025-11-19 07:13:02 -06:00 by GiteaMirror · 1 comment
GiteaMirror commented 2025-11-19 07:13:02 -06:00
Owner
Copy Link

Originally created by @AblabiX on GitHub (Sep 8, 2025).

Summary

When running newt via Docker Compose with mTLS configured through environment variables, I get the following error:

TLS configuration error: cannot use both PKCS12 format (--tls-client-cert) and separate certificate files (--tls-client-cert-file, --tls-client-key, --tls-client-ca)

Expected behavior

I expected newt to use the PEM-separated certificate configuration when setting environment variables, as described in the mTLS documentation.

im still using the Option 1: PKCS12 (Legacy) with PKCS file declared on the env like this
i have just update from 1.4.0 (mtls work) to 1.4.4

Passing only a PKCS#12 certificate should work without triggering errors about PEM files or mixed configurations.

services:
newt:
image: fosrl/newt:latest
container_name: newt
restart: unless-stopped
environment:
- PANGOLIN_ENDPOINT=REDACTED
- NEWT_ID=REDACTED
- NEWT_SECRET=REDACTED
- TLS_CLIENT_CERT=./client.p12

Notes

According to the README, there are two mutually exclusive approaches:

PKCS#12 (--tls-client-cert with a .p12 file)

Separate PEM files (--tls-client-cert, --tls-client-key, --tls-ca-cert)

However, when I try to configure the PKCS12 approach via environment variables, it looks like newt still interprets this as PKCS12 + PEM mixed usage, which causes the fatal error.

No PEM environment variables (TLS_CLIENT_KEY, TLS_CA_CERT) are set.

No CLI flags for separate PEM files are used.

The README suggests that using only a PKCS#12 file should be valid.

Questions

Is this behavior expected, or is it a bug?

Is the environment variable mapping for the PEM approach supported?

Could the environment variable handling for PKCS#12 be clarified in the documentation?

Are there hidden default values or other conditions that trigger the “mixed certificate” error?

Should the correct env vars be TLS_CLIENT_CERT, TLS_CLIENT_KEY, TLS_CA_CERT (as I used), or different ones?

If only PKCS12 is supported via env vars, could the docs clarify this limitation?

Thanks for the great work — just looking to clarify the correct way to configure mTLS with Docker Compose.

Originally created by @AblabiX on GitHub (Sep 8, 2025). ## Summary When running `newt` via Docker Compose with mTLS configured through environment variables, I get the following error: >TLS configuration error: cannot use both PKCS12 format (--tls-client-cert) and separate certificate files (--tls-client-cert-file, --tls-client-key, --tls-client-ca) ## Expected behavior I expected `newt` to use the PEM-separated certificate configuration when setting environment variables, as described in the [mTLS documentation](https://github.com/fosrl/newt?tab=readme-ov-file#mtls). im still using the Option 1: PKCS12 (Legacy) with PKCS file declared on the env like this i have just update from 1.4.0 (mtls work) to 1.4.4 Passing only a PKCS#12 certificate should work without triggering errors about PEM files or mixed configurations. services: newt: image: fosrl/newt:latest container_name: newt restart: unless-stopped environment: - PANGOLIN_ENDPOINT=REDACTED - NEWT_ID=REDACTED - NEWT_SECRET=REDACTED - TLS_CLIENT_CERT=./client.p12 ## Notes According to the README, there are two mutually exclusive approaches: PKCS#12 (--tls-client-cert with a .p12 file) Separate PEM files (--tls-client-cert, --tls-client-key, --tls-ca-cert) However, when I try to configure the PKCS12 approach via environment variables, it looks like newt still interprets this as PKCS12 + PEM mixed usage, which causes the fatal error. No PEM environment variables (TLS_CLIENT_KEY, TLS_CA_CERT) are set. No CLI flags for separate PEM files are used. The README suggests that using only a PKCS#12 file should be valid. ## Questions Is this behavior expected, or is it a bug? Is the environment variable mapping for the PEM approach supported? Could the environment variable handling for PKCS#12 be clarified in the documentation? Are there hidden default values or other conditions that trigger the “mixed certificate” error? Should the correct env vars be TLS_CLIENT_CERT, TLS_CLIENT_KEY, TLS_CA_CERT (as I used), or different ones? If only PKCS12 is supported via env vars, could the docs clarify this limitation? ___ Thanks for the great work — just looking to clarify the correct way to configure mTLS with Docker Compose.
GiteaMirror commented 2025-11-19 07:13:02 -06:00
Author
Owner
Copy Link

@AblabiX commented on GitHub (Sep 20, 2025):

must use TLS_CLIENT_CERT_PKCS12

@AblabiX commented on GitHub (Sep 20, 2025): must use TLS_CLIENT_CERT_PKCS12
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
enhancement
good first issue
help wanted
Improvement
pull-request
Mirrored from GitHub Pull Request
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/newt#58
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?