CODEWITHSUNDEEP
dockergosslhttpsclient-certificates
dragonfly02
dragonfly02

Reputation: 3669

Http call inside docker error certificate signed by unknown authority

At work (i.e. within an enterprise environment), I have a web server written in Golang and it's running fine locally; then I dockerize the app; but when running the app in a container, got an error: x509: certificate signed by unknown authority from where it made https request to an internal remote api.

Guess that means I am missing a step to add a proper certificate in the Dockerfile.

Should I find where the certificate is on my local machine and copy it into the Docker file? Is it a common practice to do so? If not, what else can I do?

Also, since it works fine locally, it must know where to look for the certificates and find one successfully. How does it know which certificate to use if there are multiple certificates on my machine?

Upvotes: 2

Views: 2552

Answers (2)

BigBearZab
BigBearZab

Reputation: 36

To be clear you only need to port the certificates when you copy the binary across,

so you only actually need to add:

# copy the ca-certificate.crt from the build stage
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/

when you start stage 2, thanks Mayukh for the correct answer here!

Upvotes: 0

Mayukh Sarkar
Mayukh Sarkar

Reputation: 2615

Try adding the following line in your Docker file

RUN apk --no-cache add ca-certificates

You can also refer to the following sample Dockerfile that I use for all of my golang based projects. This uses two staged build and hence produce smallest container with the certificates

FROM golang:alpine AS builder

LABEL maintainer="Mayukh Sarkar <[email protected]>"
# Redundant, current golang images already include ca-certificates
RUN apk --no-cache add ca-certificates

# Move to working directory (/build).
WORKDIR /build

# Copy and download dependency using go mod.
COPY go.mod go.sum ./
RUN go mod download

# Copy the code into the container.
COPY . .

# Set necessary environment variables needed for our image and build the API server.
ENV CGO_ENABLED=0 GOOS=linux GOARCH=amd64
RUN go build -ldflags="-s -w" -o apiserver .

# 2 staged build
FROM scratch
# copy the ca-certificate.crt from the build stage
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/

# Copy binary and config files from /build to root folder of scratch container.
COPY --from=builder ["/build/apiserver", "/build/.env", "/"]

EXPOSE 9999/tcp
EXPOSE 9000/tcp
# Command to run when starting the container.
ENTRYPOINT ["/apiserver"]

Upvotes: 3

Related Questions