7

I am having below dockerfile and when I try to run docker build, I get an error.

dockerfile

# base go image
FROM golang:latest as builder
RUN mkdir /app

COPY . /app

WORKDIR /app

RUN CGO_ENABLED=0 go build -o brokerApp ./cmd/api

RUN chmod +x /app/brokerApp

# build a tiny docker image
FROM alpine:latest

RUN mkdir /app

COPY --from=builder /app/brokerApp /app

CMD [ "/app/brokerApp" ]

error

$ docker build -t test -f broker-service.dockerfile .
Sending build context to Docker daemon   7.79MB
Step 1/10 : FROM golang:latest as builder
 ---> c48137eaf961
Step 2/10 : RUN mkdir /app
 ---> Running in 0caaa78d39ad
Removing intermediate container 0caaa78d39ad
 ---> 260a46b545a8
Step 3/10 : COPY . /app
 ---> 17c49c16a2ea
Step 4/10 : WORKDIR /app
 ---> Running in 056c8e90776a
Removing intermediate container 056c8e90776a
 ---> 55ef7bc5f453
Step 5/10 : RUN CGO_ENABLED=0 go build -o brokerApp ./cmd/api
 ---> Running in e1d6ae8ddbb6
go: downloading github.com/go-chi/chi/v5 v5.0.8
go: downloading github.com/go-chi/cors v1.2.1
cmd/api/routes.go:6:2: github.com/go-chi/chi/[email protected]: Get "https://proxy.golang.org/github.com/go-chi/chi/v5/@v/v5.0.8.zip": tls: failed to verify certificate: x509: certificate signed by unknown authority
cmd/api/routes.go:7:2: github.com/go-chi/chi/[email protected]: Get "https://proxy.golang.org/github.com/go-chi/chi/v5/@v/v5.0.8.zip": tls: failed to verify certificate: x509: certificate signed by unknown authority
cmd/api/routes.go:8:2: github.com/go-chi/[email protected]: Get "https://proxy.golang.org/github.com/go-chi/cors/@v/v1.2.1.zip": tls: failed to verify certificate: x509: certificate signed by unknown authority
The command '/bin/sh -c CGO_ENABLED=0 go build -o brokerApp ./cmd/api' returned a non-zero code: 1

Interestingly, when I directly hit the url on browser https://proxy.golang.org/github.com/go-chi/chi/v5/@v/v5.0.8.zip, it downloads the zip just fine.

I am stuck on this issue since a couple of days and have tried almost all similar posts.

go version go1.19.5 windows/amd64

os- windows

Improve this question
4
  • 1
    You get that, when the SSL cert returned by the server is not trusted. In most cases, this caused by a company proxy serving the URLs to you and signing the data with its own certificate. You either add the company cert (or the issuing CA) as trusted or you decide to disable SSL verification. Would be good to know which "almost all similar posts" you have tried exactly and how the symptoms changed.
    – mspiller
    Commented Mar 10, 2023 at 13:44
  • Can your system directly make outbound connections to the public Internet, or do you go through some sort of proxy?
    – David Maze
    Commented Mar 10, 2023 at 14:00
  • I am sure it goes via a proxy as I am in a corporate network. I won't have access to disable the SSL verification, so adding company cert (or the issuing CA) as trusted sounds like something I can at least try. But that's another rabbit hole and I am not sure what certificate I am looking for and where.
    – Naxi
    Commented Mar 10, 2023 at 14:03
  • 1
    The proxy explanation makes sense. Your IT dept probably aded their proxy's SSL Cert onto your computer which your browser picks up . But there's nothing being done to expsoe that SSL cert to Docker so it - correctly - doesn't trust the cert from the proxy. Work with your IT dept or investigate the cert coping from the URL in browser / curl / etc and add it to docker instance is your only option.
    – erik258
    Commented Mar 10, 2023 at 15:03

5 Answers 5

Reset to default
7

Not sure if it is the same scenario but I had the same problem running a container based in ubuntu and the way to solve it was to install ca-certificates package.

sudo apt-get install -y ca-certificates
Improve this answer
1
  • In my container in synology it was " apt install -y ca-certificates" and my go program burst into life. Many thanks Migsar Navarro
    – hum3
    Commented Jan 21 at 12:59
5

I solved this error by adding the machine's certificates to docker container:

COPY ca-bundle.crt /etc/ssl/certs/ca-bundle.crt
COPY ca-bundle.trust.crt /etc/ssl/certs/ca-bundle.trust.crt
Improve this answer
1

I just had the same error. In my case I was using ubuntu as the base image for my container which happen didn't provide the root certificates needed by my application to trust the targeted service. I switched to centos as my base image and it worked fine.

Improve this answer
1

To add to what Andrie Nicolae said,

The terminal will give you the url that failed. Click the link or navigate to the base url (example.com/) then click the site info icon at the left of the address bar, click on "connection is secure" > "Certificate is valid"/"Show certificate" > Save cert to /project/certs.

Dockerfile

COPY ./certs/* /etc/ssl/certs/

Improve this answer
0

If you want to create a very small container (like FROM scratch), you have to either copy the certificates from another base image or use a distroless image like

  • gcr.io/distroless/static,
  • gcr.io/distroless/base-nossl (for cgo) or
  • gcr.io/distroless/base (if you need the SSL libraries).

See https://github.com/GoogleContainerTools/distroless/blob/main/base/README.md for details.

Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.