How to Fix \'x509: Certificate Signed by Unknown Authority\' Error in Docker Multi-Stage Go Image Builds?

Troubleshooting "x509: Certificate Signed by Unknown Authority" Error in Docker Multi-Stage Go Image Build

When attempting to build a multi-stage Docker image for a Go application in a private network, you may encounter the following error:

x509: certificate signed by unknown authority

This error arises due to difficulties with certificate verification when downloading dependencies via go get or go mod download. While setting the GIT_SSL_NO_VERIFY environment variable can bypass this issue for Agent environment variables, it does not work when using go get or go mod download.

Solution

To resolve this issue and enable secure certificate verification, you can import the necessary certificates into the CA store of your system using openssl. For instance:

FROM golang:latest as builder

RUN apt-get update && apt-get install -y ca-certificates openssl

ARG cert_location=/usr/local/share/ca-certificates

# Get certificate from "github.com"
RUN openssl s_client -showcerts -connect github.com:443 </dev/null 2>/dev/null|openssl x509 -outform PEM > ${cert_location}/github.crt
# Get certificate from "proxy.golang.org"
RUN openssl s_client -showcerts -connect proxy.golang.org:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >  ${cert_location}/proxy.golang.crt
# Update certificates
RUN update-ca-certificates

# Proceed with your build process...

By importing the certificates into the CA store, secure certificate verification is enabled for git dependency retrieval.

Example

The following Dockerfile demonstrates the solution:

FROM golang:latest as builder

RUN apt-get update && apt-get install -y ca-certificates openssl

ARG cert_location=/usr/local/share/ca-certificates

# Get certificate from "github.com"
RUN openssl s_client -showcerts -connect github.com:443 </dev/null 2>/dev/null|openssl x509 -outform PEM > ${cert_location}/github.crt
# Get certificate from "proxy.golang.org"
RUN openssl s_client -showcerts -connect proxy.golang.org:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >  ${cert_location}/proxy.golang.crt
# Update certificates
RUN update-ca-certificates

WORKDIR /app
COPY go.mod go.sum ./
RUN go mod download
COPY . .
RUN  GO111MODULE="on" CGO_ENABLED=0 GOOS=linux go build -o main ${MAIN_PATH}

FROM alpine:latest
LABEL maintainer="Kozmo"
RUN apk add --no-cache bash
WORKDIR /app
COPY --from=builder /app/main .
EXPOSE 8080
CMD ["/main"]

This Dockerfile will import the necessary certificates and update the CA store, allowing for secure certificate verification during dependency retrieval for your Go application build within a private network.

The above is the detailed content of How to Fix \'x509: Certificate Signed by Unknown Authority\' Error in Docker Multi-Stage Go Image Builds?. For more information, please follow other related articles on the PHP Chinese website!