Troubleshooting "x509: Certificate Signed by Unknown Authority" Error in Docker Multi-Stage Go Image Build
When attempting to build a multi-stage Docker image for a Go application in a private network, you may encounter the following error:
x509: certificate signed by unknown authority
This error arises due to difficulties with certificate verification when downloading dependencies via go get or go mod download. While setting the GIT_SSL_NO_VERIFY environment variable can bypass this issue for Agent environment variables, it does not work when using go get or go mod download.
Solution
To resolve this issue and enable secure certificate verification, you can import the necessary certificates into the CA store of your system using openssl. For instance:
FROM golang:latest as builder RUN apt-get update && apt-get install -y ca-certificates openssl ARG cert_location=/usr/local/share/ca-certificates # Get certificate from "github.com" RUN openssl s_client -showcerts -connect github.com:443 </dev/null 2>/dev/null|openssl x509 -outform PEM > ${cert_location}/github.crt # Get certificate from "proxy.golang.org" RUN openssl s_client -showcerts -connect proxy.golang.org:443 </dev/null 2>/dev/null|openssl x509 -outform PEM > ${cert_location}/proxy.golang.crt # Update certificates RUN update-ca-certificates # Proceed with your build process...
By importing the certificates into the CA store, secure certificate verification is enabled for git dependency retrieval.
Example
The following Dockerfile demonstrates the solution:
FROM golang:latest as builder RUN apt-get update && apt-get install -y ca-certificates openssl ARG cert_location=/usr/local/share/ca-certificates # Get certificate from "github.com" RUN openssl s_client -showcerts -connect github.com:443 </dev/null 2>/dev/null|openssl x509 -outform PEM > ${cert_location}/github.crt # Get certificate from "proxy.golang.org" RUN openssl s_client -showcerts -connect proxy.golang.org:443 </dev/null 2>/dev/null|openssl x509 -outform PEM > ${cert_location}/proxy.golang.crt # Update certificates RUN update-ca-certificates WORKDIR /app COPY go.mod go.sum ./ RUN go mod download COPY . . RUN GO111MODULE="on" CGO_ENABLED=0 GOOS=linux go build -o main ${MAIN_PATH} FROM alpine:latest LABEL maintainer="Kozmo" RUN apk add --no-cache bash WORKDIR /app COPY --from=builder /app/main . EXPOSE 8080 CMD ["/main"]
This Dockerfile will import the necessary certificates and update the CA store, allowing for secure certificate verification during dependency retrieval for your Go application build within a private network.
The above is the detailed content of How to Fix \'x509: Certificate Signed by Unknown Authority\' Error in Docker Multi-Stage Go Image Builds?. For more information, please follow other related articles on the PHP Chinese website!