2

At work (i.e. within an enterprise environment), I have a web server written in Golang and it's running fine locally; then I dockerize the app; but when running the app in a container, got an error: x509: certificate signed by unknown authority from where it made https request to an internal remote api.

Guess that means I am missing a step to add a proper certificate in the Dockerfile.

Should I find where the certificate is on my local machine and copy it into the Docker file? Is it a common practice to do so? If not, what else can I do?

Also, since it works fine locally, it must know where to look for the certificates and find one successfully. How does it know which certificate to use if there are multiple certificates on my machine?

Improve this question
5
  • Is remote API a public one, or some internal (to the enterprise) endpont? Commented Nov 19, 2022 at 9:54
  • @DusanBajic it's an internal remote api Commented Nov 19, 2022 at 11:22
  • which container OS is your docker image using? Commented Nov 19, 2022 at 11:27
  • @DusanBajic it's using Debain Commented Nov 19, 2022 at 11:29
  • 1
    As a general guidance: you need to get (export to a file) the remote API root CA cert (either from your local truststore or by fetching it directly from the remote endpoint). Then you need to place that file into your container truststore and import it Commented Nov 19, 2022 at 12:05

2 Answers 2

Reset to default
3

Try adding the following line in your Docker file

RUN apk --no-cache add ca-certificates

You can also refer to the following sample Dockerfile that I use for all of my golang based projects. This uses two staged build and hence produce smallest container with the certificates

FROM golang:alpine AS builder

LABEL maintainer="Mayukh Sarkar <[email protected]>"
# Redundant, current golang images already include ca-certificates
RUN apk --no-cache add ca-certificates

# Move to working directory (/build).
WORKDIR /build

# Copy and download dependency using go mod.
COPY go.mod go.sum ./
RUN go mod download

# Copy the code into the container.
COPY . .

# Set necessary environment variables needed for our image and build the API server.
ENV CGO_ENABLED=0 GOOS=linux GOARCH=amd64
RUN go build -ldflags="-s -w" -o apiserver .

# 2 staged build
FROM scratch
# copy the ca-certificate.crt from the build stage
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/

# Copy binary and config files from /build to root folder of scratch container.
COPY --from=builder ["/build/apiserver", "/build/.env", "/"]

EXPOSE 9999/tcp
EXPOSE 9000/tcp
# Command to run when starting the container.
ENTRYPOINT ["/apiserver"]
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

added RUN apk --no-cache add ca-certificates after the FROM command in the Dockerfile and rebuilt the image; still got the same error when running the app in the container. The app is a web server running on port 9000 in the container; so I am exposing host port 9000 in docker run and access the app via 127.0.0.1:9000 from the client. Don't think there is any network issue though, just to be clear.
@dragonfly02 Can this help? stackoverflow.com/questions/67231714/…
Interesting that the linked question tries to add self signed certificate to the trust root CA store in the container. I have been trying to bind mount the local certificate to the relevant path in the container; no luck so far. Maybe I didn't bind to the correct path.
0

To be clear you only need to port the certificates when you copy the binary across,

so you only actually need to add:

# copy the ca-certificate.crt from the build stage
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/

when you start stage 2, thanks Mayukh for the correct answer here!

Improve this answer

1 Comment

This does not provide an answer to the question. Once you have sufficient reputation you will be able to comment on any post; instead, provide answers that don't require clarification from the asker. - From Review

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.