Podman builds started failing on the cargo buld step with certificate errors. It was working for a couple weeks but started failing all of a sudden.
The error returned from the build is :
Caused by:
failed to download from `https://index.crates.io/config.json`
Caused by:
[60] SSL peer certificate or SSH remote key was not OK (SSL certificate problem: unable to get local issuer certificate)
Here is the relevant portion of the Dockerfile
FROM rust:1.86.0-bullseye as backend-builder
WORKDIR app
COPY Cargo.toml Cargo.lock .
COPY crates ./crates
RUN cargo build --release
I have tried following steps at https://podman-desktop.io/docs/podman/adding-certificates-to-a-podman-machine but does not seem to help.
Npm installs are working using the following Dockerfile
FROM node:18.20-bullseye as node-base
WORKDIR app
COPY ./package.json ./.npmrc .
# Configure npm to handle SSL certificate issues with Zscaler
ENV NODE_TLS_REJECT_UNAUTHORIZED=0
RUN npm config set strict-ssl false && \
npm config set registry https://registry.npmjs.org/ && \
npm install
I am on a mac
My approach would be to install the ZScaler certificate into your backend-builder container.
I'm not familiar enough with Debian-based images to know exactly how do that, but on RedHat environments, I'd drop the cert file into /etc/pki/ca-trust/source/anchors and run update-ca-trust (as root). I assume that there's an equivalent mechanism which will work on your rust:1.86.0-bullseye image.
Taking a few minutes to experiment, it appears that the easiest way to do it is to just append your ZScaler certificate to the existing /etc/ssl/certs/ca-certificates.crt file, and cargo will work. But I'm uncertain if that's the preferred way to do it.
(Oh, and I can definitely sympathise with anyone dealing with dealing with ZScaler like this... it's wasted weeks of my time over the years since we adopted it).