Join Log in
Score:-1
Michel avatar Server

Redhat ubi8-micro container without trusted root ca certificates

th flag
Michel

I want to run a simple GO application on the registry.access.redhat.com/ubi8/ubi-micro image.

But unfortunately I get x509: certificate signed by unknown authority errors in my app because there it seems there is no root ca truststore on the ubi8-micro containers.

Tried something like this in my Dockerfile without success:

FROM registry.access.redhat.com/ubi8/go-toolset as build

USER root

RUN yum update ca-certificates && \
    update-ca-trust

COPY . .

RUN go mod tidy && \
    go build .

FROM registry.access.redhat.com/ubi8/ubi-micro


COPY --from=build /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt /etc/pki/tls/certs/ca-bundle.trust.crt
COPY --from=build /opt/app-root/src/my-app .


RUN ./my-app  # Go app gives 509 error on GET https://google.com

Main function in Go

func main() {
    _, err := http.Get("https://www.google.com")
    if err != nil {
        log.Printf("Error during Get is: %s", err) // throw 509
    }
}

UPDATE / SOLUTION

Fixed it by using the ubi8-minimal instead ubi8-micro as runner

See also (commits) on: https://github.com/michelmeeuwissen/redhat-go-example

654
1 + 4
go
pt flag
larsks
You need to install new trusted CA certificates in `/etc/pki/ca-trust/source/anchors/` and then run `update-ca-trust`.
1
Reply
Michel avatar
th flag
Michel
`update-ca-trust` is not available on ubi8/ubi-micro. `/bin/sh: update-ca-trust: command not found`
0
Reply
pt flag
larsks
You show in your Dockerfile that you're running `update-ca-trust` successfully.
0
Reply
Michel avatar
th flag
Michel
That is on the builder container. Thats not the `ubi8-micro`. But I Fixed it by using the `ubi8-minimal` instead `ubi8-micro` as runner
0
Reply
Score:2
Ginnungagap avatar Server
gu flag
Ginnungagap

It isn't clear at what stage you get the error so I'm going to cover everything.

On the host, you need to add you custom CA certificate to your system trust store (/etc/pki/ca-trust/source/anchors) and run update-ca-trust.

While building your container, I'd recommend always exposing your host trust store to the container even if you only really need it if you access the network (buildah build --volume /etc/pki/ca-trust:/etc/pki/ca-trust:ro).

When running your container, expose the host trust store to the container (--volume /etc/pki/ca-trust:/etc/pki/ca-trust:ro during create or run).

Since go looks at your system trust store natively unlike many other runtime which bake their own that you have to override, this should be all you need.

+ 3
Michel avatar
th flag
Michel
Thanks. I'm just doing a simple call: `http.Get("https://www.google.com")` in my main. No custom certificates are involved
0
Reply
Ginnungagap avatar
gu flag
Ginnungagap
Are you in a corporate network? Are you sure there's no proxy in place that does TLS interception? I'll have to check but I'm fairly certain standard root CAs are part of the UBI image.
0
Reply
Michel avatar
th flag
Michel
No I'm not. Fixed it by using the `ubi8-minimal` instead `ubi8-micro` as runner. Micro is to Micro I guess. It does not contain any CA truststore at all
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.