-1

I want to run a simple GO application on the registry.access.redhat.com/ubi8/ubi-micro image.

But unfortunately I get x509: certificate signed by unknown authority errors in my app because there it seems there is no root ca truststore on the ubi8-micro containers.

Tried something like this in my Dockerfile without success:

FROM registry.access.redhat.com/ubi8/go-toolset as build

USER root

RUN yum update ca-certificates && \
    update-ca-trust

COPY . .

RUN go mod tidy && \
    go build .

FROM registry.access.redhat.com/ubi8/ubi-micro


COPY --from=build /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt /etc/pki/tls/certs/ca-bundle.trust.crt
COPY --from=build /opt/app-root/src/my-app .


RUN ./my-app  # Go app gives 509 error on GET https://google.com

Main function in Go

func main() {
    _, err := http.Get("https://www.google.com")
    if err != nil {
        log.Printf("Error during Get is: %s", err) // throw 509
    }
}

UPDATE / SOLUTION

Fixed it by using the ubi8-minimal instead ubi8-micro as runner

See also (commits) on: https://github.com/michelmeeuwissen/redhat-go-example

Michel
  • 183
  • 1
  • 1
  • 8
  • 1
    You need to install new trusted CA certificates in `/etc/pki/ca-trust/source/anchors/` and then run `update-ca-trust`. – larsks Mar 23 '23 at 21:04
  • `update-ca-trust` is not available on ubi8/ubi-micro. `/bin/sh: update-ca-trust: command not found` – Michel Mar 24 '23 at 09:36
  • You show in your Dockerfile that you're running `update-ca-trust` successfully. – larsks Mar 24 '23 at 11:41
  • That is on the builder container. Thats not the `ubi8-micro`. But I Fixed it by using the `ubi8-minimal` instead `ubi8-micro` as runner – Michel Mar 24 '23 at 12:42

1 Answers1

2

It isn't clear at what stage you get the error so I'm going to cover everything.

On the host, you need to add you custom CA certificate to your system trust store (/etc/pki/ca-trust/source/anchors) and run update-ca-trust.

While building your container, I'd recommend always exposing your host trust store to the container even if you only really need it if you access the network (buildah build --volume /etc/pki/ca-trust:/etc/pki/ca-trust:ro).

When running your container, expose the host trust store to the container (--volume /etc/pki/ca-trust:/etc/pki/ca-trust:ro during create or run).

Since go looks at your system trust store natively unlike many other runtime which bake their own that you have to override, this should be all you need.

Ginnungagap
  • 2,595
  • 10
  • 13
  • Thanks. I'm just doing a simple call: `http.Get("https://www.google.com")` in my main. No custom certificates are involved – Michel Mar 24 '23 at 09:12
  • Are you in a corporate network? Are you sure there's no proxy in place that does TLS interception? I'll have to check but I'm fairly certain standard root CAs are part of the UBI image. – Ginnungagap Mar 24 '23 at 11:34
  • No I'm not. Fixed it by using the `ubi8-minimal` instead `ubi8-micro` as runner. Micro is to Micro I guess. It does not contain any CA truststore at all – Michel Mar 24 '23 at 12:44