How to Resolve \"x509: certificate signed by unknown authority\" Error in Docker Multi-Stage Build Go Images?

Docker Multi-Stage Build Go Images with Certificate Authority Issues

Problem:

When attempting to build Go images in a private corporation network using a Docker multi-stage build, you may encounter an error stating "x509: certificate signed by unknown authority." This occurs when Git attempts to retrieve dependencies from secure HTTPS servers.

Cause:

The issue stems from the lack of required certificates in the system's CA store, causing Git to reject the HTTPS connections.

Solution:

To resolve the issue, it is necessary to import the missing certificates into the system's CA store using OpenSSL. Here is an example Dockerfile that demonstrates how to achieve this:

FROM golang:latest as builder

RUN apt-get update && apt-get install -y ca-certificates openssl

ARG cert_location=/usr/local/share/ca-certificates

# Get certificate from "github.com"
RUN openssl s_client -showcerts -connect github.com:443 </dev/null 2>/dev/null | openssl x509 -outform PEM > ${cert_location}/github.crt
# Get certificate from "proxy.golang.org"
RUN openssl s_client -showcerts -connect proxy.golang.org:443 </dev/null 2>/dev/null | openssl x509 -outform PEM > ${cert_location}/proxy.golang.crt
# Update certificates
RUN update-ca-certificates

WORKDIR /app
COPY go.mod go.sum ./
RUN go mod download
COPY . .
RUN GO111MODULE="on" CGO_ENABLED=0 GOOS=linux go build -o main ${MAIN_PATH}

FROM alpine:latest
LABEL maintainer="Kozmo"
RUN apk add --no-cache bash
WORKDIR /app
COPY --from=builder /app/main .
EXPOSE 8080
CMD ["/main"]

Explanation:

This Dockerfile includes several additional steps compared to the original. It first installs OpenSSL and updates the system's CA certificates. Then, it uses OpenSSL to retrieve the certificates from "github.com" and "proxy.golang.org" and imports them into the CA store. Finally, it updates the certificates, enabling Git to successfully retrieve dependencies during the go mod download command.

Note:

Instead of editing the Dockerfile to import the certificates, you can also set the environment variable GIT_SSL_NO_VERIFY=1 on your agent environment variables. However, this approach is not recommended for production use as it disables SSL verification.

The above is the detailed content of How to Resolve \"x509: certificate signed by unknown authority\" Error in Docker Multi-Stage Build Go Images?. For more information, please follow other related articles on the PHP Chinese website!