5

I have a container with Golang that calls a https api. I'm using a scratch container and when I try to run I get a certificate signed by unknown authority

url := "https://restcountries.eu/rest/v2/name/" + params.Get("country")
response, err := http.Get(url)

My Dockerfile is like this:

FROM golang:1.15 AS builder
WORKDIR /GreetingAPI
COPY . /greeting
WORKDIR /greeting
ENV GO111MODULE=on
RUN CGO_ENABLED=0 GOOS=linux go build -o greeting

FROM scratch
COPY --from=builder /greeting .
CMD ["./greeting"]

I updated my Dockerfile using this answare. But when I try to build the container I get ERROR: "/ca-certificates.crt" not found: not found and failed to solve: rpc error: code = Unknown desc = failed to compute cache key: "/ca-certificates.crt" not found: not found

FROM golang:1.15 AS builder
WORKDIR /GreetingAPI
COPY . /greeting
WORKDIR /greeting
ENV GO111MODULE=on
RUN CGO_ENABLED=0 GOOS=linux go build -o greeting

FROM scratch
ADD ca-certificates.crt /etc/ssl/certs/
COPY --from=builder /greeting .
CMD ["./greeting"]

2 Answers2

13

I may have needed to be more clear in the linked answer, the copy in this first example was a single stage example where you had a certificate file to inject in your build context (directory that typically has your Dockerfile):

FROM scratch
ADD ca-certificates.crt /etc/ssl/certs/
ADD main /
CMD ["/main"]

You have a multi-stage build and can follow the multi-stage method in the second half of the linked answer. That installs the certificates in another stage from the distribution vendor and copies them into your scratch stage:

FROM golang:alpine as build
RUN apk --no-cache add ca-certificates
WORKDIR /go/src/app
COPY . .
RUN CGO_ENABLED=0 go-wrapper install -ldflags '-extldflags "-static"'

FROM scratch
COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
COPY --from=build /go/bin/app /app
ENTRYPOINT ["/app"]

However, that second example assumed Alpine as the base for the first stage, using apk. (It also assumed the certificates need to be installed in the base image, which turns out to not be the case in the current golang images.) For your example, it's based on Debian in the golang:1.15 image. For that, you'd normally need apt-get commands, but in this case the ca-certificates package is already installed, so you can just copy the results:

FROM golang:1.15 AS builder
COPY . /greeting
WORKDIR /greeting
ENV GO111MODULE=on
RUN CGO_ENABLED=0 GOOS=linux go build -o greeting

FROM scratch
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
COPY --from=builder /greeting /
CMD ["/greeting"]
BMitch
  • 231,797
  • 42
  • 475
  • 450
4

Install ca cert in your builder stage and copy over to the final image. Something like:

FROM golang:1.15 AS builder
RUN apk update
RUN apk add -U --no-cache ca-certificates && update-ca-certificates
WORKDIR /GreetingAPI
COPY . /greeting
WORKDIR /greeting
ENV GO111MODULE=on
RUN CGO_ENABLED=0 GOOS=linux go build -o greeting

FROM scratch
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
COPY --from=builder /greeting .
CMD ["./greeting"]
gipsy
  • 3,859
  • 1
  • 13
  • 21