Home > Article > Backend Development > How to Resolve \"x509: certificate signed by unknown authority\" Error in Docker Multi-Stage Build Go Images?
Docker Multi-Stage Build Go Images with Certificate Authority Issues
Problem:
When attempting to build Go images in a private corporation network using a Docker multi-stage build, you may encounter an error stating "x509: certificate signed by unknown authority." This occurs when Git attempts to retrieve dependencies from secure HTTPS servers.
Cause:
The issue stems from the lack of required certificates in the system's CA store, causing Git to reject the HTTPS connections.
Solution:
To resolve the issue, it is necessary to import the missing certificates into the system's CA store using OpenSSL. Here is an example Dockerfile that demonstrates how to achieve this:
FROM golang:latest as builder RUN apt-get update && apt-get install -y ca-certificates openssl ARG cert_location=/usr/local/share/ca-certificates # Get certificate from "github.com" RUN openssl s_client -showcerts -connect github.com:443 </dev/null 2>/dev/null | openssl x509 -outform PEM > ${cert_location}/github.crt # Get certificate from "proxy.golang.org" RUN openssl s_client -showcerts -connect proxy.golang.org:443 </dev/null 2>/dev/null | openssl x509 -outform PEM > ${cert_location}/proxy.golang.crt # Update certificates RUN update-ca-certificates WORKDIR /app COPY go.mod go.sum ./ RUN go mod download COPY . . RUN GO111MODULE="on" CGO_ENABLED=0 GOOS=linux go build -o main ${MAIN_PATH} FROM alpine:latest LABEL maintainer="Kozmo" RUN apk add --no-cache bash WORKDIR /app COPY --from=builder /app/main . EXPOSE 8080 CMD ["/main"]
Explanation:
This Dockerfile includes several additional steps compared to the original. It first installs OpenSSL and updates the system's CA certificates. Then, it uses OpenSSL to retrieve the certificates from "github.com" and "proxy.golang.org" and imports them into the CA store. Finally, it updates the certificates, enabling Git to successfully retrieve dependencies during the go mod download command.
Note:
Instead of editing the Dockerfile to import the certificates, you can also set the environment variable GIT_SSL_NO_VERIFY=1 on your agent environment variables. However, this approach is not recommended for production use as it disables SSL verification.
The above is the detailed content of How to Resolve \"x509: certificate signed by unknown authority\" Error in Docker Multi-Stage Build Go Images?. For more information, please follow other related articles on the PHP Chinese website!