CODEWITHSUNDEEP
dockersslbuildx
mgd
mgd

Reputation: 4342

`docker buildx build` failing when referring repo with TLS certificate signed with private CA

When building a Docker image based on an image in a private repo using a TLS certificate signed with a self-signed CA, everything works fine if that CA is already in the macOS Keychain or in the Windows Trusted Certificate Store – as long as you build using docker build.

However, when using docker buildx build the CA is not found and the build fails with a certificate error.

Consider this Dockerfile:

FROM dockerhub.my.private.mirror.org/oraclelinux:8.6

With docker build it works fine:

% docker build .
...
 => CACHED [1/1] FROM dockerhub.my.private.mirror.org/oraclelinux:8.6
...

However, using docker buildx build it fails:

% docker buildx build --load .
...
 => ERROR [internal] load metadata for dockerhub.my.private.mirror.org/oraclelinux:8.6
------
 > [internal] load metadata for dockerhub.my.private.mirror.org/oraclelinux:8.6:
------
Dockerfile:1
--------------------
   1 | >>> FROM dockerhub.my.private.mirror.org/oraclelinux:8.6
   2 |     
--------------------
error: failed to solve: dockerhub.my.private.mirror.org/oraclelinux:8.6: ↩
  failed to do request: Head "https://dockerhub.my.private.mirror.org/v2/oraclelinux/manifests/8.6": ↩
  x509: certificate signed by unknown authority

Does anyone know how to configure docker buildx to use the private CA certificate on macOS, Windows and Linux?

Upvotes: 9

Views: 10701

Answers (2)

Marwie
Marwie

Reputation: 3317

This answer is for docker desktop environment under windows. I was having the same issue and the solution from @Lektro9 did not work out for me. However I was successful with the answer stated here The following content is based on this.

Add Registry Certificate as CA in BuildX container

BuildX for multiplatform builds runs in an own docker container and you will have to take extra steps to add trust to registries with self-signed certificates. The following steps use the tool update-ca-certificates to get it done.

  1. Access the buildx container by opening a shell:

    docker exec -it buildx_buildkit_mybuilder0 /bin/sh

  2. Go to the trusted certificates folder

    cd /usr/local/share/ca-certificates/

  3. Copy the registry’s certificate from the source location the container e.g. by scp:

    scp <username>@<sourceIP>:/path/to/certificate/of/registry.crt \
    ./<registrynameandport>.crt

  4. Update the containers trusted CA list now by calling

    update-ca-certificates

    You can ignore the following warning, you might get

    WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping

  5. Restart the builder container for the changes to take effect.

docker build buildx should work just fine now.

If unsure, you can verify if the process was successful by controlling the content of /etc/ssl/certs inside the buildx container. It should now contain an entry named ca-cert-<registrynameandport>.pem and it should also be listed in the ca-certificates.crt file.

Upvotes: 10

Lektro9
Lektro9

Reputation: 91

My answer is based on this: https://github.com/docker/buildx/blob/master/docs/guides/custom-registry-config.md

  1. Create a buildkitd.toml and configure your private CA certificate:
[registry."your.dockerimagehost.example"]
  ca=["/home/downloads/mycacert.pem"]
  1. create a docker builder
docker buildx create --use --config buildkitd.toml
  1. then your build command should work

Upvotes: 9

Related Questions