Home > Article > Backend Development > How to Resolve \"x509: certificate signed by unknown authority\" Error in Docker Multi-Stage Go Image Build?
Docker Multi-Stage Build Go Image: Resolving "x509: certificate signed by unknown authority" Error
In a private corporate network, it is common to encounter the "x509: certificate signed by unknown authority" error when attempting to build Go images using multi-stage builds due to the lack of trusted certificates for accessing external dependencies.
Root Cause
This error occurs because git, which is used by go get and go mod download, relies on curl to access HTTPS servers. In a private network, the system CA store may not have the necessary certificates to verify the authenticity of these servers.
Solution
To resolve this issue, you need to import the required certificates into the system CA store. This can be achieved using the openssl command, as shown in the following updated Dockerfile:
FROM golang:latest as builder RUN apt-get update && apt-get install -y ca-certificates openssl ARG cert_location=/usr/local/share/ca-certificates # Get certificate from "github.com" RUN openssl s_client -showcerts -connect github.com:443 </dev/null 2></dev/null|openssl x509 -outform PEM > ${cert_location}/github.crt # Get certificate from "proxy.golang.org" RUN openssl s_client -showcerts -connect proxy.golang.org:443 </dev/null 2></dev/null|openssl x509 -outform PEM > ${cert_location}/proxy.golang.crt # Update certificates RUN update-ca-certificates WORKDIR /app COPY go.mod go.sum ./ RUN go mod download COPY . . RUN GO111MODULE="on" CGO_ENABLED=0 GOOS=linux go build -o main ${MAIN_PATH} FROM alpine:latest LABEL maintainer="Kozmo" RUN apk add --no-cache bash WORKDIR /app COPY --from=builder /app/main . EXPOSE 8080 CMD ["main"]
Verification
After applying this fix, the docker image build should proceed without the "x509: certificate signed by unknown authority" error as the necessary certificates are now installed in the CA store.
... Step 5/19 : RUN openssl s_client -showcerts -connect github.com:443 </dev/null 2></dev/null|openssl x509 -outform PEM > ${cert_location}/github.crt ---> Running in bb797e26d4b4 Removing intermediate container bb797e26d4b4 ---> 6c68ddafd884 Step 6/19 : RUN openssl s_client -showcerts -connect proxy.golang.org:443 </dev/null 2></dev/null|openssl x509 -outform PEM > ${cert_location}/proxy.golang.crt ---> Running in 61f59939d75e Removing intermediate container 61f59939d75e ---> 72d2b03b11e6 Step 7/19 : RUN update-ca-certificates ---> Running in 6cf9aa248776 Updating certificates in /etc/ssl/certs... 2 added, 0 removed; done. ... Step 8/18 : COPY go.mod go.sum ./ ---> 436263b76050 Step 9/18 : RUN go mod download ---> Running in 2387c78147db Removing intermediate container 2387c78147db ---> a37c05c2b531 Step 10/18 : COPY . . ---> 01b49c388f59 ...
The above is the detailed content of How to Resolve \"x509: certificate signed by unknown authority\" Error in Docker Multi-Stage Go Image Build?. For more information, please follow other related articles on the PHP Chinese website!