Http call inside docker error certificate signed by unknown authority

huangapple go评论95阅读模式
英文:

Http call inside docker error certificate signed by unknown authority

问题

在工作中(即企业环境中),我有一个用Golang编写的Web服务器,本地运行正常;然后我将应用程序容器化;但是在容器中运行应用程序时,出现了一个错误:x509: certificate signed by unknown authority,这是因为它向一个内部远程API发出了HTTPS请求。

我猜这意味着我在Dockerfile中漏掉了一个添加正确证书的步骤。

我应该找到本地机器上的证书并将其复制到Docker文件中吗?这是一种常见做法吗?如果不是,还有其他办法吗?

另外,由于在本地运行正常,它肯定知道在哪里查找证书并成功找到一个。如果我的机器上有多个证书,它如何知道使用哪个证书?

英文:

At work (i.e. within an enterprise environment), I have a web server written in Golang and it's running fine locally; then I dockerize the app; but when running the app in a container, got an error: x509: certificate signed by unknown authority from where it made https request to an internal remote api.

Guess that means I am missing a step to add a proper certificate in the Dockerfile.

Should I find where the certificate is on my local machine and copy it into the Docker file? Is it a common practice to do so? If not, what else can I do?

Also, since it works fine locally, it must know where to look for the certificates and find one successfully. How does it know which certificate to use if there are multiple certificates on my machine?

答案1

得分: 1

尝试在你的Docker文件中添加以下行:

RUN apk --no-cache add ca-certificates

你还可以参考以下示例Dockerfile,我在所有基于golang的项目中都使用这个。它使用了两个构建阶段,因此生成了最小的包含证书的容器。

FROM golang:alpine AS builder

LABEL maintainer="Mayukh Sarkar <mayukh2012@hotmail.com>"
# 多余的,当前的golang镜像已经包含了ca-certificates
RUN apk --no-cache add ca-certificates

# 切换到工作目录(/build)。
WORKDIR /build

# 使用go mod复制和下载依赖项。
COPY go.mod go.sum ./
RUN go mod download

# 将代码复制到容器中。
COPY . .

# 设置必要的环境变量,用于我们的镜像,并构建API服务器。
ENV CGO_ENABLED=0 GOOS=linux GOARCH=amd64
RUN go build -ldflags="-s -w" -o apiserver .

# 两个构建阶段
FROM scratch
# 从构建阶段复制ca-certificate.crt
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/

# 从/build复制二进制文件和配置文件到scratch容器的根目录。
COPY --from=builder ["/build/apiserver", "/build/.env", "/"]

EXPOSE 9999/tcp
EXPOSE 9000/tcp
# 启动容器时运行的命令。
ENTRYPOINT ["/apiserver"]
英文:

Try adding the following line in your Docker file

RUN apk --no-cache add ca-certificates

You can also refer to the following sample Dockerfile that I use for all of my golang based projects. This uses two staged build and hence produce smallest container with the certificates

FROM golang:alpine AS builder

LABEL maintainer=&quot;Mayukh Sarkar &lt;mayukh2012@hotmail.com&gt;&quot;
# Redundant, current golang images already include ca-certificates
RUN apk --no-cache add ca-certificates

# Move to working directory (/build).
WORKDIR /build

# Copy and download dependency using go mod.
COPY go.mod go.sum ./
RUN go mod download

# Copy the code into the container.
COPY . .

# Set necessary environment variables needed for our image and build the API server.
ENV CGO_ENABLED=0 GOOS=linux GOARCH=amd64
RUN go build -ldflags=&quot;-s -w&quot; -o apiserver .

# 2 staged build
FROM scratch
# copy the ca-certificate.crt from the build stage
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/

# Copy binary and config files from /build to root folder of scratch container.
COPY --from=builder [&quot;/build/apiserver&quot;, &quot;/build/.env&quot;, &quot;/&quot;]

EXPOSE 9999/tcp
EXPOSE 9000/tcp
# Command to run when starting the container.
ENTRYPOINT [&quot;/apiserver&quot;]

huangapple
  • 本文由 发表于 2022年11月18日 22:55:48
  • 转载请务必保留本文链接:https://go.coder-hub.com/74491524.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定