【问题标题】:Http call inside docker error certificate signed by unknown authorityHttp call inside docker error certificate signed by unknown authority
【发布时间】:2022-11-20 11:38:55
【问题描述】:

At work (i.e. within an enterprise environment), I have a web server written in Golang and it's running fine locally; then I dockerize the app; but when running the app in a container, got an error: x509: certificate signed by unknown authority from where it made https request to aninternalremote api.

Guess that means I am missing a step to add a proper certificate in the Dockerfile.

Should I find where the certificate is on my local machine and copy it into the Docker file? Is it a common practice to do so? If not, what else can I do?

Also, since it works fine locally, it must know where to look for the certificates and find one successfully. How does it know which certificate to use if there are multiple certificates on my machine?

【问题讨论】:

标签: docker go ssl https client-certificates


【解决方案1】:

Try adding the following line in your Docker file

RUN apk --no-cache add ca-certificates

You can also refer to the following sample Dockerfile that I use for all of my golang based projects. This uses two staged build and hence produce smallest container with the certificates

FROM golang:alpine AS builder

LABEL maintainer="Mayukh Sarkar <mayukh2012@hotmail.com>"
# Redundant, current golang images already include ca-certificates
RUN apk --no-cache add ca-certificates

# Move to working directory (/build).
WORKDIR /build

# Copy and download dependency using go mod.
COPY go.mod go.sum ./
RUN go mod download

# Copy the code into the container.
COPY . .

# Set necessary environment variables needed for our image and build the API server.
ENV CGO_ENABLED=0 GOOS=linux GOARCH=amd64
RUN go build -ldflags="-s -w" -o apiserver .

# 2 staged build
FROM scratch
# copy the ca-certificate.crt from the build stage
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/

# Copy binary and config files from /build to root folder of scratch container.
COPY --from=builder ["/build/apiserver", "/build/.env", "/"]

EXPOSE 9999/tcp
EXPOSE 9000/tcp
# Command to run when starting the container.
ENTRYPOINT ["/apiserver"]

【讨论】:

    猜你喜欢
    • 2014-06-30
    • 1970-01-01
    • 2019-09-28
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 2023-04-06
    • 1970-01-01
    • 1970-01-01
    相关资源
    最近更新 更多