Home >Backend Development >Golang >How to Fix Docker Multi-Stage Image Build Errors: \'x509: Certificate Signed by Unknown Authority\'?

How to Fix Docker Multi-Stage Image Build Errors: \'x509: Certificate Signed by Unknown Authority\'?

Patricia Arquette
Patricia ArquetteOriginal
2024-11-03 20:46:03233browse

How to Fix Docker Multi-Stage Image Build Errors:

Docker Multi-Stage Image Build Error: x509: Certificate Signed by Unknown Authority

This error occurs when building Docker images that rely on Git for dependency management, such as those using the docker-multi-stage-build technique.

Problem Overview

During image building, Git uses the system CA store to verify SSL certificates. However, in private networks, this store may not contain the necessary certificates to connect to external servers like GitHub and proxy.golang.org, resulting in the "x509: certificate signed by unknown authority" error.

Workaround

The problem can be fixed by importing the certificates into the system CA store.

Solution

  1. Install OpenSSL: Install the OpenSSL package on the host machine.
  2. Get Certificates: Retrieve the certificates for the problematic servers using the following OpenSSL commands:

    • For GitHub: openssl s_client -showcerts -connect github.com:443 < /dev/null 2> /dev/null | openssl x509 -outform PEM > ${cert_location}/github.crt
    • For proxy.golang.org: openssl s_client -showcerts -connect proxy.golang.org:443 < /dev/null 2> /dev/null | openssl x509 -outform PEM > ${cert_location}/proxy.golang.crt
  3. Import Certificates: Import the certificates into the system CA store using the update-ca-certificates command.

Revised Dockerfile

The following revised Dockerfile incorporates the certificate import steps:

<code class="dockerfile">FROM golang:latest as builder

RUN apt-get update && apt-get install -y ca-certificates openssl

ARG cert_location=/usr/local/share/ca-certificates

# Get certificate from "github.com"
RUN openssl s_client -showcerts -connect github.com:443 < /dev/null 2> /dev/null | openssl x509 -outform PEM > ${cert_location}/github.crt
# Get certificate from "proxy.golang.org"
RUN openssl s_client -showcerts -connect proxy.golang.org:443 < /dev/null 2> /dev/null | openssl x509 -outform PEM >  ${cert_location}/proxy.golang.crt
# Update certificates
RUN update-ca-certificates

WORKDIR /app
COPY go.mod go.sum ./
RUN go mod download
COPY . .
RUN  GO111MODULE="on" CGO_ENABLED=0 GOOS=linux go build -o main ${MAIN_PATH}

FROM alpine:latest
LABEL maintainer="Kozmo"
RUN apk add --no-cache bash
WORKDIR /app
COPY --from=builder /app/main .
EXPOSE 8080
CMD ["/app/main"]</code>

Note: The update-ca-certificates command may take a few minutes to complete. Once it is finished, subsequent Docker builds should proceed without the "x509: certificate signed by unknown authority" error.

The above is the detailed content of How to Fix Docker Multi-Stage Image Build Errors: \'x509: Certificate Signed by Unknown Authority\'?. For more information, please follow other related articles on the PHP Chinese website!

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn