34

I created a docker container for talking to the google api using GoLang. I started off using a SCRATCH container and am getting the error certificate signed by unknown authority upon changing to ubuntu/alpine i still get the error.

resp, err := client.Get("https://www.googleapis.com/oauth2/v3/userinfo")

Any help solving this issue would be great. I can run the code fine on my mac.

Having done some research I can see the issue https://github.com/golang/go/issues/24652

but I dont know if this is directly related or if I need to share some certificate with the container.

Improve this question

3 Answers 3

Reset to default
84

With scratch, you need to include the trusted certificates in addition to your application inside the image. E.g. if you have the ca-certificates.crt in your project to inject directly:

FROM scratch
ADD ca-certificates.crt /etc/ssl/certs/
ADD main /
CMD ["/main"]

If you are using a multi stage build and only want the certificates packaged by the distribution vendor, that looks like:

FROM golang:alpine as build
# Redundant, current golang images already include ca-certificates
RUN apk --no-cache add ca-certificates
WORKDIR /go/src/app
COPY . .
RUN CGO_ENABLED=0 go-wrapper install -ldflags '-extldflags "-static"'

FROM scratch
# copy the ca-certificate.crt from the build stage
COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
COPY --from=build /go/bin/app /app
ENTRYPOINT ["/app"]
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I was getting very odd behavior as soon as I containerized my app (which ran fine natively on both linux and windows) on a hunch that it was ca-certs and this answer completely fixed my issues!
4

The answer above is outdated, just use

import _ "golang.org/x/crypto/x509roots/fallback"

instead, see details on https://laurentsv.com/blog/2024/06/25/stop-the-go-and-docker-madness.html

Improve this answer

Comments

-1

You can use the self sign certificate specially for ubuntu. Before you begin, you should have a non-root user configured with sudo privileges. You can learn how to set up such a user account by following our initial server setup for Ubuntu 16.04.

Improve this answer

1 Comment

This doesn’t seem to have much to do with the question at hand

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.