1

At work (i.e. within an enterprise environment), I have a web server written in Golang and it's running fine locally; then I dockerize the app; but when running the app in a container, got an error: x509: certificate signed by unknown authority from where it made https request to an internal remote api.

Guess that means I am missing a step to add a proper certificate in the Dockerfile.

Should I find where the certificate is on my local machine and copy it into the Docker file? Is it a common practice to do so? If not, what else can I do?

Also, since it works fine locally, it must know where to look for the certificates and find one successfully. How does it know which certificate to use if there are multiple certificates on my machine?

dragonfly02
  • 3,403
  • 32
  • 55
  • Is remote API a public one, or some internal (to the enterprise) endpont? – Dusan Bajic Nov 19 '22 at 09:54
  • @DusanBajic it's an internal remote api – dragonfly02 Nov 19 '22 at 11:22
  • which container OS is your docker image using? – Dusan Bajic Nov 19 '22 at 11:27
  • @DusanBajic it's using Debain – dragonfly02 Nov 19 '22 at 11:29
  • 1
    As a general guidance: you need to get (export to a file) the remote API root CA cert (either from your [local truststore](https://www.namecheap.com/support/knowledgebase/article.aspx/10332/33/importingexporting-certificates-on-mac-os-via-keychain/) or by [fetching it directly from the remote endpoint](https://medium.com/@menakajain/export-download-ssl-certificate-from-server-site-url-bcfc41ea46a2)). Then you need to [place that file into your container truststore and import it](https://support.kerioconnect.gfi.com/hc/en-us/articles/360015200119-Adding-Trusted-Root-Certificates-to-the-Server) – Dusan Bajic Nov 19 '22 at 12:05

1 Answers1

1

Try adding the following line in your Docker file

RUN apk --no-cache add ca-certificates

You can also refer to the following sample Dockerfile that I use for all of my golang based projects. This uses two staged build and hence produce smallest container with the certificates

FROM golang:alpine AS builder

LABEL maintainer="Mayukh Sarkar <mayukh2012@hotmail.com>"
# Redundant, current golang images already include ca-certificates
RUN apk --no-cache add ca-certificates

# Move to working directory (/build).
WORKDIR /build

# Copy and download dependency using go mod.
COPY go.mod go.sum ./
RUN go mod download

# Copy the code into the container.
COPY . .

# Set necessary environment variables needed for our image and build the API server.
ENV CGO_ENABLED=0 GOOS=linux GOARCH=amd64
RUN go build -ldflags="-s -w" -o apiserver .

# 2 staged build
FROM scratch
# copy the ca-certificate.crt from the build stage
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/

# Copy binary and config files from /build to root folder of scratch container.
COPY --from=builder ["/build/apiserver", "/build/.env", "/"]

EXPOSE 9999/tcp
EXPOSE 9000/tcp
# Command to run when starting the container.
ENTRYPOINT ["/apiserver"]
Mayukh Sarkar
  • 2,289
  • 1
  • 14
  • 38
  • added `RUN apk --no-cache add ca-certificates` after the `FROM` command in the Dockerfile and rebuilt the image; still got the same error when running the app in the container. The app is a web server running on port 9000 in the container; so I am exposing host port 9000 in `docker run` and access the app via `127.0.0.1:9000` from the client. Don't think there is any network issue though, just to be clear. – dragonfly02 Nov 22 '22 at 05:50
  • 1
    @dragonfly02 Can this help? https://stackoverflow.com/questions/67231714/how-to-add-trusted-root-ca-to-docker-alpine – Mayukh Sarkar Nov 22 '22 at 09:33
  • 1
    Interesting that the linked question tries to add self signed certificate to the trust root CA store in the container. I have been trying to bind mount the local certificate to the relevant path in the container; no luck so far. Maybe I didn't bind to the correct path. – dragonfly02 Nov 22 '22 at 11:06