Support custom HTTP certificate

README.md

@@ -191,7 +191,7 @@ The following environment variables can be used to configure Livebook on boot:
     are deployed on Livebook startup with the persisted settings. Password-protected
     notebooks will receive a random password, unless LIVEBOOK_APPS_PATH_PASSWORD
     is set. When deploying using Livebook's Docker image, consider using
-    `LIVEBOOK_APPS_PATH_WARMUP`.
+    LIVEBOOK_APPS_PATH_WARMUP.
 
   * LIVEBOOK_APPS_PATH_HUB_ID - deploy only the notebooks in
     LIVEBOOK_APPS_PATH that belong to the given Hub ID
@@ -208,6 +208,10 @@ The following environment variables can be used to configure Livebook on boot:
   * LIVEBOOK_BASE_URL_PATH - sets the base url path the web application is
     served on. Useful when deploying behind a reverse proxy.
 
+  * LIVEBOOK_CACERTFILE - path to a local file containing CA certificates.
+    Those certificates are used during for server authentication when Livebook
+    accesses files from external sources.
+
   * LIVEBOOK_COOKIE - sets the cookie for running Livebook in a cluster.
     Defaults to a random string that is generated on boot.
 

lib/livebook.ex

@@ -177,6 +177,10 @@ defmodule Livebook do
       config :livebook, :force_ssl_host, force_ssl_host
     end
 
+    if cacertfile = Livebook.Config.cacertfile!("LIVEBOOK_CACERTFILE") do
+      config :livebook, :cacertfile, cacertfile
+    end
+
     config :livebook,
            :cookie,
            Livebook.Config.cookie!("LIVEBOOK_COOKIE") ||

lib/livebook/config.ex

@@ -319,6 +319,14 @@ defmodule Livebook.Config do
     Application.fetch_env!(:livebook, :force_ssl_host)
   end
 
+  @doc """
+  Returns the application cacertfile if any.
+  """
+  @spec cacertfile() :: String.t() | nil
+  def cacertfile() do
+    Application.get_env(:livebook, :cacertfile)
+  end
+
   @feature_flags Application.compile_env(:livebook, :feature_flags)
 
   @doc """
@@ -513,6 +521,13 @@ defmodule Livebook.Config do
     System.get_env(env)
   end
 
+  @doc """
+  Parses application cacertfile from env.
+  """
+  def cacertfile!(env) do
+    System.get_env(env)
+  end
+
   @doc """
   Parses application service name from env.
   """

lib/livebook/utils/http.ex

@@ -213,9 +213,17 @@ defmodule Livebook.Utils.HTTP do
 
   defp http_ssl_opts() do
     # Use secure options, see https://gist.github.com/jonatanklosko/5e20ca84127f6b31bbe3906498e1a1d7
+
+    cacert_opt =
+      if cacertfile = Livebook.Config.cacertfile() do
+        {:cacertfile, to_charlist(cacertfile)}
+      else
+        {:cacerts, @cacerts}
+      end
+
     [
+      cacert_opt,
       verify: :verify_peer,
-      cacerts: @cacerts,
       customize_hostname_check: [
         match_fun: :public_key.pkix_verify_hostname_match_fun(:https)
       ]