Docker container running golang http.Client getting error `certificate signed by unknown authority`

Question

I created a docker container for talking to the google api using GoLang. I started off using a SCRATCH container and am getting the error certificate signed by unknown authority upon changing to ubuntu/alpine i still get the error.

resp, err := client.Get("https://www.googleapis.com/oauth2/v3/userinfo")

Any help solving this issue would be great. I can run the code fine on my mac.

Having done some research I can see the issue https://github.com/golang/go/issues/24652

but I dont know if this is directly related or if I need to share some certificate with the container.

Answer 1

The answer above is outdated, just use

import _ "golang.org/x/crypto/x509roots/fallback"

instead, see details on https://laurentsv.com/blog/2024/06/25/stop-the-go-and-docker-madness.html

Answer 2

With scratch, you need to include the trusted certificates in addition to your application inside the image. E.g. if you have the ca-certificates.crt in your project to inject directly:

FROM scratch
ADD ca-certificates.crt /etc/ssl/certs/
ADD main /
CMD ["/main"]

If you are using a multi stage build and only want the certificates packaged by the distribution vendor, that looks like:

FROM golang:alpine as build
# Redundant, current golang images already include ca-certificates
RUN apk --no-cache add ca-certificates
WORKDIR /go/src/app
COPY . .
RUN CGO_ENABLED=0 go-wrapper install -ldflags '-extldflags "-static"'

FROM scratch
# copy the ca-certificate.crt from the build stage
COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
COPY --from=build /go/bin/app /app
ENTRYPOINT ["/app"]

Answer 3

You can use the self sign certificate specially for ubuntu. Before you begin, you should have a non-root user configured with sudo privileges. You can learn how to set up such a user account by following our initial server setup for Ubuntu 16.04.