0

I am having trouble using the IPFS CLI to pin a CID to a remote service (Pinata) from within a Docker container. This works fine when running from the host.

I am calling the following from the Dockerfile:

# Pull base image
ARG AWS_ACCOUNT_ID
ARG AWS_DEFAULT_REGION
FROM ${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com/<REPO>:latest as build

# Set working directory
WORKDIR /usr/app
COPY . /usr/app

EXPOSE 80
EXPOSE 443

CMD ["bash", "/usr/app/persist-ipns.sh"]

In persist-ipns.sh, I am fetching a directory from a remote repo, adding it to IPFS, and then pinning the CID to Pinata.

#!/bin/bash
BUCKET=<BUCKET_NAME>
DIR=<DIRECTORY>

# Start IPFS daemon
ipfs daemon &

# Clone S3 bucket containing metadata
mkdir -p $DIR
OBJECT="$(aws s3 ls $BUCKET --recursive | sort | tail -n 1 | awk '{print $4}')"
aws s3 cp s3://$BUCKET/$OBJECT $DIR

# Add directory to IPFS
IPFS_ADD=$(ipfs add -r $DIR)
IPFS_CID=$(echo $IPFS_ADD | awk '{print $2}')
echo IPFS CID: $IPFS_CID

# Push to Pinata
ipfs pin remote add --service=pinata-docker --name=<PIN_NAME> $IPFS_CID

I then face the following error:

Error: empty response from remote pinning service: Post "https://api.pinata.cloud/psa/pins": x509: certificate signed by unknown authority

I have faced this error before in other cases when missing a .pem file. But I am not sure how to resolve this here.

Thank you in advance for the help.

Alex Ianovski
  • 1
  • 1
  • The error "certificate signed by unknown authority" means exactly what it says: the remote certificate is signed by an signing authority that your container doesn't recognize, so it's not trusted. You need to install the appropriate CA certificates inside your container. Exactly how do to this depends on how your container image is built; can you share your `Dockerfile`? – larsks Apr 28 '22 at 20:56
  • thanks @larsks. Sorry if this is trivial, would the CA certificates be from Pinata or any self-signed SSL cert would work? My `Dockerfile` is fairly bare. ` # Pull base image ARG AWS_ACCOUNT_ID ARG AWS_DEFAULT_REGION FROM ${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com/:latest as build # Set working directory WORKDIR /usr/app COPY . /usr/app EXPOSE 80 EXPOSE 443 CMD ["bash", "/usr/app/persist-ipns.sh"] ` – Alex Ianovski Apr 28 '22 at 21:07
  • Please update the question to include your complete `Dockerfile`; it's not really possible to read it as a comment. – larsks Apr 28 '22 at 21:10
  • The CA certificates would come from whatever signing authority used to obtain their SSL certificate. They're probably part of the default CA bundle for whatever base image you're using, but without seeing your `Dockerfile` it's hard to give a correct answer. – larsks Apr 28 '22 at 21:11
  • (I don't run into this problem using pinata with the official IPFS image, `docker.io/ipfs/go-ipfs`) – larsks Apr 28 '22 at 21:13
  • Sorry about that. I updated my post. The image is based on an `ubuntu:focal` image with some additional dependencies (aws, IPFS) installed. Hmm thanks for the suggestion, I will give the `docker.io/ipfs/go-ipfs` image a try – Alex Ianovski Apr 28 '22 at 21:19

1 Answers1

0

Thank you @larsks. Adding a CA certificate resolved the error:

  • Downloaded a CA certificate from Entrust on my host machine
  • Added the following to the Dockerfile:
COPY ca.crt /etc/ssl/certs/
RUN apt-get install -y ca-certificates
RUN update-ca-certificates
Alex Ianovski
  • 1
  • 1