How to Fix \"x509: Certificate Signed by Unknown Authority\" Error in Docker Multi-Stage Build for Go Projects?

Docker Multi-Stage Build: Resolving "x509: Certificate Signed by Unknown Authority" Error

When attempting to build Docker images for Go in a private corporate network using multi-stage builds, an error of "x509: certificate signed by unknown authority" may arise. This issue stems from certificate and authentication issues while retrieving Go dependencies.

Understanding the Problem:

The error occurs because git, which is used by Go to access dependencies, utilizes curl. This requires the necessary certificates to be imported into the system's CA store. Initially, it was suggested to use the environment variable GIT_SSL_NO_VERIFY=1, but this approach proved ineffective for obtaining dependencies.

Solution: Importing Certificates into the CA Store

To resolve this issue, it is necessary to import the relevant certificates into the system's CA store. The method for doing so varies depending on the OS, but generally involves using the openssl command.

For example, in a Debian-based system, the following commands can be used:

1. apt-get update && apt-get install -y ca-certificates openssl
2. openssl s_client -showcerts -connect github.com:443 /dev/null | openssl x509 -outform PEM > /usr/local/share/ca-certificates/github.crt (for GitHub certificate)
3. openssl s_client -showcerts -connect proxy.golang.org:443 /dev/null | openssl x509 -outform PEM > /usr/local/share/ca-certificates/proxy.golang.crt (for proxy.golang.org certificate)
4. update-ca-certificates

Modified Dockerfile:

By incorporating these certificate importing steps into the Dockerfile, the issue can be resolved, allowing the dependencies to be obtained and the build to proceed successfully. Below is an updated Dockerfile:

FROM golang:latest as builder

RUN apt-get update && apt-get install -y ca-certificates openssl

ARG cert_location=/usr/local/share/ca-certificates

# Get certificate from "github.com"
RUN openssl s_client -showcerts -connect github.com:443 </dev/null 2>/dev/null | openssl x509 -outform PEM > ${cert_location}/github.crt
# Get certificate from "proxy.golang.org"
RUN openssl s_client -showcerts -connect proxy.golang.org:443 </dev/null 2>/dev/null | openssl x509 -outform PEM > ${cert_location}/proxy.golang.crt
# Update certificates
RUN update-ca-certificates

WORKDIR /app
COPY go.mod go.sum ./
RUN go mod download
COPY . .
RUN GO111MODULE="on" CGO_ENABLED=0 GOOS=linux go build -o main ${MAIN_PATH}

FROM alpine:latest
LABEL maintainer="Kozmo"
RUN apk add --no-cache bash
WORKDIR /app
COPY --from=builder /app/main .
EXPOSE 8080
CMD ["/./main"]

The above is the detailed content of How to Fix \"x509: Certificate Signed by Unknown Authority\" Error in Docker Multi-Stage Build for Go Projects?. For more information, please follow other related articles on the PHP Chinese website!