30

I created a docker container for talking to the google api using GoLang. I started off using a SCRATCH container and am getting the error certificate signed by unknown authority upon changing to ubuntu/alpine i still get the error.

resp, err := client.Get("https://www.googleapis.com/oauth2/v3/userinfo")

Any help solving this issue would be great. I can run the code fine on my mac.

Having done some research I can see the issue https://github.com/golang/go/issues/24652

but I dont know if this is directly related or if I need to share some certificate with the container.

Westy10101
  • 861
  • 2
  • 12
  • 25

2 Answers2

77

With scratch, you need to include the trusted certificates in addition to your application inside the image. E.g. if you have the ca-certificates.crt in your project to inject directly:

FROM scratch
ADD ca-certificates.crt /etc/ssl/certs/
ADD main /
CMD ["/main"]

If you are using a multi stage build and only want the certificates packaged by the distribution vendor, that looks like:

FROM golang:alpine as build
# Redundant, current golang images already include ca-certificates
RUN apk --no-cache add ca-certificates
WORKDIR /go/src/app
COPY . .
RUN CGO_ENABLED=0 go-wrapper install -ldflags '-extldflags "-static"'

FROM scratch
# copy the ca-certificate.crt from the build stage
COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
COPY --from=build /go/bin/app /app
ENTRYPOINT ["/app"]
BMitch
  • 231,797
  • 42
  • 475
  • 450
  • I was getting very odd behavior as soon as I containerized my app (which ran fine natively on both linux and windows) on a hunch that it was ca-certs and this answer completely fixed my issues! – CenterOrbit Mar 29 '20 at 05:23
0

You can use the self sign certificate specially for ubuntu. Before you begin, you should have a non-root user configured with sudo privileges. You can learn how to set up such a user account by following our initial server setup for Ubuntu 16.04.

Meharwan Singh
  • 1
  • 1