Docker CA Support
Patronus observes encrypted AI traffic through a local protection path. The desktop setup trusts the Patronus certificate authority on the device, but Docker containers and some CLI runtimes keep separate trust stores. Those runtimes may need the Patronus CA explicitly.
When You Need This
Section titled “When You Need This”Configure Docker CA support when:
- an AI client runs inside a container,
- a container connects to HTTPS provider APIs through Patronus,
- a Node, Python, curl, or SDK process inside Docker rejects the proxy certificate,
- the same request works on the host but fails inside the container.
Export The CA
Section titled “Export The CA”Patronus currently stores the CA certificate in:
~/.mitmproxy/Use the PEM certificate from that directory when a container or SDK runtime needs to trust Patronus explicitly.
Mount The CA Into A Container
Section titled “Mount The CA Into A Container”For ad-hoc runs:
docker run --rm \ -v "$HOME/.mitmproxy/mitmproxy-ca-cert.pem:/etc/patronus/ca.pem:ro" \ -e SSL_CERT_FILE=/etc/patronus/ca.pem \ -e REQUESTS_CA_BUNDLE=/etc/patronus/ca.pem \ -e NODE_EXTRA_CA_CERTS=/etc/patronus/ca.pem \ your-imageOn Windows PowerShell:
docker run --rm ` -v "$env:USERPROFILE\.mitmproxy\mitmproxy-ca-cert.pem:/etc/patronus/ca.pem:ro" ` -e SSL_CERT_FILE=/etc/patronus/ca.pem ` -e REQUESTS_CA_BUNDLE=/etc/patronus/ca.pem ` -e NODE_EXTRA_CA_CERTS=/etc/patronus/ca.pem ` your-imageFor Compose:
services: app: image: your-image volumes: - ~/.mitmproxy/mitmproxy-ca-cert.pem:/etc/patronus/ca.pem:ro environment: SSL_CERT_FILE: /etc/patronus/ca.pem REQUESTS_CA_BUNDLE: /etc/patronus/ca.pem NODE_EXTRA_CA_CERTS: /etc/patronus/ca.pemRuntime-Specific Notes
Section titled “Runtime-Specific Notes”| Runtime | Recommended setting |
|---|---|
| Node.js | NODE_EXTRA_CA_CERTS=/etc/patronus/ca.pem |
| Python requests | REQUESTS_CA_BUNDLE=/etc/patronus/ca.pem |
| Python SSL / some SDKs | SSL_CERT_FILE=/etc/patronus/ca.pem |
| curl | CURL_CA_BUNDLE=/etc/patronus/ca.pem |
Some images ignore environment variables and require installing the certificate into the image trust store. For Debian or Ubuntu based images:
COPY patronus-ca.pem /usr/local/share/ca-certificates/patronus-ca.crtRUN update-ca-certificatesFor Alpine:
RUN apk add --no-cache ca-certificatesCOPY patronus-ca.pem /usr/local/share/ca-certificates/patronus-ca.crtRUN update-ca-certificatesVerify
Section titled “Verify”Run a simple HTTPS request from inside the container while Patronus protection is active:
curl -v https://api.openai.com/A successful TLS handshake confirms the container trusts the local CA. It does not by itself prove that the active protection path observed the request. Verify observation in the Desktop App activity, audit, or trace view.
Common Failure Modes
Section titled “Common Failure Modes”- The container uses a different CA bundle than the host.
- The mounted CA path is wrong or points to an old Patronus CA.
- The runtime was started before the environment variables were set.
- Corporate base images overwrite trust stores during startup.
- The request bypasses Patronus because the container network path does not use the host protection path.