Use an individual root certificate authority in your DDEV project

• 31 October 2025
• DDEV,
• TLS

There may be cases, when you have to connect to remote resources that use TLS certificates which do not come from a widely known root certificate authority. In DDEV, it is pretty simple to add a root certificate to your project.

We assume, you already have the root certificate in the correct format. Where you can get it, depends on your certificate authority.

Place the file in the directory .ddev/web-build/ and give the file a proper name, e.g. .ddev/web-build/foobar-root-ca.crt

Create a Dockerfile in the same folder, e.g. .ddev/web-build/Dockerfile.foobar with the just a simple line of code:

ADD foobar-root-ca.crt /usr/lib/ssl/certs/

These simple steps register your individual root certification authority inside your DDEV web container, and you can easily connect to your remote resources without any further problems.

Improvements #

(Added on 2026-03-19)

Unfortunately, I still had problems with DDEV's own build process, where composer self-updates are run and Node versions are installed. In both cases, curl did not know yet about my individual root certificate. And showed these errors:

Warning: command 'composer self-update --2' run as 'root' failed with exit code 100:

In CurlDownloader.php line 401:

  curl error 7 while downloading https://getcomposer.org/versions: error:8000
  0071:system library::No route to host


self-update [-r|--rollback] [--clean-backups] [--no-progress] [--update-keys] [--stable] [--preview] [--snapshot] [--1] [--2] [--2.2] [--set-channel-only] [--] [<version>]

Warning: command 'n-install.sh' run as 'userxyz' failed with exit code 6:
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.

  Error: failed to download version index (https://nodejs.org/dist/index.tab)

     offline : matching cached versions
find: ‘/home/userxyz/.n/n/versions’: No such file or directory

  Error: no version found for '14'

Unable to install Node.js version '14'

But even these problems can be solved. In the official DDEV documentation, you can see that the Dockerfiles can have a prefix pre to be used earlier in the build process. And the CURL docs tell, how a custom CA store.

With the change name from .ddev/web-build/Dockerfile.foobar to .ddev/web-build/pre.Dockerfile.foobar and one additional line inside the file, my build process runs without problems:

ADD foobar-root-ca.crt /usr/lib/ssl/certs/
ENV SSL_CERT_FILE=/usr/lib/ssl/certs/foobar-root-ca.crt

• Previous: Use `ddev pull` with WordPress Projects
• Next: Migrate XML to CSV datasets for TYPO3 Testing Framework