dockergodocker-multi-stage-buildgo-buildgo-git

docker multi-stage build Go image - x509: certificate signed by unknown authority


I try to build images in private corp network use :

FROM golang:latest as builder
WORKDIR /app
COPY go.mod go.sum ./
RUN go mod download
COPY . .
RUN  GO111MODULE="on" CGO_ENABLED=0 GOOS=linux go build -o main ${MAIN_PATH}

FROM alpine:latest
LABEL maintainer="Kozmo"
RUN apk add --no-cache bash
WORKDIR /app
COPY --from=builder /app/main .
EXPOSE 8080
CMD ["./main"]

and get x509: certificate signed by unknown authority error

Step 1/13 : FROM golang:latest as builder
 ---> 2421885b04da
Step 2/13 : WORKDIR /app
 ---> Using cache
 ---> 6555644dbd16
Step 3/13 : COPY go.mod go.sum ./
 ---> 55d45a30f492
Step 4/13 : RUN go mod download
 ---> Running in 88c21c6b4fab
go: github.com/dgrijalva/jwt-go/v4@v4.0.0-preview1: Get "https://proxy.golang.org/github.com/dgrijalva/jwt-go/v4/@v/v4.0.0-preview1.mod": x509: certificate signed by unknown authority
The command '/bin/sh -c go mod download' returned a non-zero code: 1
make: *** [docker] Error 1

I tried to find an answer in

X509: Certificate Signed by Unknown Authority (Running a Go App Inside a Docker Container)

and

docker build: cannot get the github public repository, x509: certificate signed by unknown authority

and

x509 certificate signed by unknown authority - go-pingdom

, but result is the same.


❗️If add -insecure flag

...
RUN go env -w GOPROXY=direct GOFLAGS="-insecure"
COPY go.mod go.sum ./
...

to Dockerfile 👉🏻 unrecognized import path error wrap previous x509 error and an unreachable package change to golang.org/x/crypto

go: golang.org/x/crypto@v0.0.0-20200622213623-75b288015ac9: unrecognized import path "golang.org/x/crypto": https fetch: Get "https://golang.org/x/crypto?go-get=1": x509: certificate signed by unknown authority

What is the problem❓

(I understand that problem is in the certificates and authentication when git get dependencies, but I try to make process of building images more common)


Solution

  • git uses curl to access the https servers so you need to import the certificate into the CA store of the system.

    The workaround is to define the environment variable GIT_SSL_NO_VERIFY=1 on your Agent environment variables, but it doesn't work when using go get or go mod download 😭.

    To import the certificate on your system CA store the procedure depends on your OS you have to use openssl.

    For example

    FROM golang:latest as builder
    
    RUN apt-get update && apt-get install -y ca-certificates openssl
    
    ARG cert_location=/usr/local/share/ca-certificates
    
    # Get certificate from "github.com"
    RUN openssl s_client -showcerts -connect github.com:443 </dev/null 2>/dev/null|openssl x509 -outform PEM > ${cert_location}/github.crt
    # Get certificate from "proxy.golang.org"
    RUN openssl s_client -showcerts -connect proxy.golang.org:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >  ${cert_location}/proxy.golang.crt
    # Update certificates
    RUN update-ca-certificates
    
    WORKDIR /app
    COPY go.mod go.sum ./
    RUN go mod download
    COPY . .
    RUN  GO111MODULE="on" CGO_ENABLED=0 GOOS=linux go build -o main ${MAIN_PATH}
    
    FROM alpine:latest
    LABEL maintainer="Kozmo"
    RUN apk add --no-cache bash
    WORKDIR /app
    COPY --from=builder /app/main .
    EXPOSE 8080
    CMD ["./main"]
    

    docker image build output 👇🏼

    ...
    
    Step 5/19 : RUN openssl s_client -showcerts -connect github.com:443 </dev/null 2>/dev/null|openssl x509 -outform PEM > ${cert_location}/github.crt
     ---> Running in bb797e26d4b4
    Removing intermediate container bb797e26d4b4
     ---> 6c68ddafd884
    Step 6/19 : RUN openssl s_client -showcerts -connect proxy.golang.org:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >  ${cert_location}/proxy.golang.crt
     ---> Running in 61f59939d75e
    Removing intermediate container 61f59939d75e
     ---> 72d2b03b11e6
    Step 7/19 : RUN update-ca-certificates
     ---> Running in 6cf9aa248776
    Updating certificates in /etc/ssl/certs...
    2 added, 0 removed; done. 👈🏻 'certificates updated'
    
    ...
    
    Step 8/18 : COPY go.mod go.sum ./
     ---> 436263b76050
    Step 9/18 : RUN go mod download 👈🏻 'works fine'
     ---> Running in 2387c78147db
    Removing intermediate container 2387c78147db
     ---> a37c05c2b531
    Step 10/18 : COPY . .
     ---> 01b49c388f59
    
    ...