-1

I want to run a simple GO application on the registry.access.redhat.com/ubi8/ubi-micro image.

But unfortunately I get x509: certificate signed by unknown authority errors in my app because there it seems there is no root ca truststore on the ubi8-micro containers.

Tried something like this in my Dockerfile without success:

FROM registry.access.redhat.com/ubi8/go-toolset as build

USER root


RUN yum update ca-certificates && 

    update-ca-trust


COPY . .


RUN go mod tidy && 

    go build .


FROM registry.access.redhat.com/ubi8/ubi-micro


COPY --from=build /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt /etc/pki/tls/certs/ca-bundle.trust.crt
COPY --from=build /opt/app-root/src/my-app .


RUN ./my-app  # Go app gives 509 error on GET https://google.com

Main function in Go

func main() {
    _, err := http.Get("https://www.google.com")
    if err != nil {
        log.Printf("Error during Get is: %s", err) // throw 509
    }
}

UPDATE / SOLUTION

Fixed it by using the ubi8-minimal instead ubi8-micro as runner

See also (commits) on: https://github.com/michelmeeuwissen/redhat-go-example

Michel
  • 183
  • 1
  • 2
  • 9

1 Answers1

2

It isn't clear at what stage you get the error so I'm going to cover everything.

On the host, you need to add you custom CA certificate to your system trust store (/etc/pki/ca-trust/source/anchors) and run update-ca-trust.

While building your container, I'd recommend always exposing your host trust store to the container even if you only really need it if you access the network (buildah build --volume /etc/pki/ca-trust:/etc/pki/ca-trust:ro).

When running your container, expose the host trust store to the container (--volume /etc/pki/ca-trust:/etc/pki/ca-trust:ro during create or run).

Since go looks at your system trust store natively unlike many other runtime which bake their own that you have to override, this should be all you need.

Ginnungagap
  • 2,724