Can I use docker buildx with ADD instruction that requires a custom certificate authority?

Question

Using docker buildx I am trying to download an artifact from an internal artifactory server over https. The certificate is signed by our own CA. I can successfully reference the server as a docker repository, but I want to access it over https using the ADD instruction. When I do that, I get ERROR: failed to solve: failed to load cache key: Get "https://foo-internal/some-artifact": x509: certificate signed by unknown authority.

Here is a very minimal example that reproduces the issue for me:

Given:

an artifactory docker repository at dockerhub.xxxx.internal with a certifcate signed by My-Custom-CA.pem
the following buildkit.toml:

[registry."dockerhub.xxxx.internal"]
  ca=["./My-Custom-CA.pem"]

the following minimal Dockerfile:

FROM dockerhub.xxxx.internal/amazonlinux:2.0.20230307.0

This command works fine:

docker buildx create --use --config buildkitd.toml && \
docker buildx build --load .

However, if I add an ADD instruction to download from the same server, so the Dockerfile becomes:

FROM dockerhub.xxxx.internal/amazonlinux:2.0.20230307.0

ADD https://dockerhub.xxxx.internal/artifactory/dockerhub-prod/repository.catalog repository.catalog

The same instruction gives the following output:

[+] Building 4.4s (7/7) FINISHED                                                                                                                                                                                                  
 => [internal] booting buildkit                                                                                                                                                                                              2.1s
 => => pulling image moby/buildkit:buildx-stable-1                                                                                                                                                                           1.4s
 => => creating container buildx_buildkit_determined_burnell0                                                                                                                                                                0.7s
 => [internal] load build definition from Dockerfile                                                                                                                                                                         0.0s
 => => transferring dockerfile: 235B                                                                                                                                                                                         0.0s
 => [internal] load .dockerignore                                                                                                                                                                                            0.0s
 => => transferring context: 2B                                                                                                                                                                                              0.0s
 => [internal] load metadata for dockerhub.xxxx.internal/amazonlinux:2.0.20230307.0                                                                                                                                         1.9s
 => ERROR https://dockerhub.xxxx.internal/artifactory/dockerhub-prod/repository.catalog                                                                                                                                     0.3s
 => [1/2] FROM dockerhub.xxxx.internal/amazonlinux:2.0.20230307.0@sha256:8a3fbbbaf93665e495fd66e86c7c5d46de44ab0bc74460b97489820747e0a164                                                                                   0.3s
 => => resolve dockerhub.xxxx.internal/amazonlinux:2.0.20230307.0@sha256:8a3fbbbaf93665e495fd66e86c7c5d46de44ab0bc74460b97489820747e0a164                                                                                   0.0s
 => => sha256:042c9cfa8a36c0ffe86667a7dd7d488f78cbe295aa845213c01fdf8784165a92 0B / 64.13MB                                                                                                                                  0.3s
 => CANCELED [2/2] ADD https://dockerhub.xxxx.internal/artifactory/dockerhub-prod/repository.catalog repository.catalog                                                                                                     0.0s
------
 > https://dockerhub.xxxx.internal/artifactory/dockerhub-prod/repository.catalog:
------
ERROR: failed to solve: failed to load cache key: Get "https://dockerhub.xxxx.internal/artifactory/dockerhub-prod/repository.catalog": x509: certificate signed by unknown authority

Is there any way to get the buildx build agent to respect my custom certificate authority when downloading using the ADD instruction?

score 0 · Answer 1 · answered Aug 16 '23 at 17:13

The ADD command executes inside the image being built so you need to add the CA certificate to the image before the ADD command in your Dockerfile.

FROM dockerhub.xxxx.internal/amazonlinux:2.0.20230307.0
COPY My-Custom-CA.pem /tmp/My-Custom-CA.pem
CMD <The command that is used to add the certificate to the OS certificate store>
ADD https://dockerhub.xxxx.internal/artifactory/dockerhub-prod/repository.catalog repository.catalog

Can I use docker buildx with ADD instruction that requires a custom certificate authority?

1 Answers1