TLS Certificate Verification Failure on Go Build in Docker container
David Y.
—The Problem
In the process of dockerizing my Go application, I encounter the following error on the go build step:
main.go:6:2: github.com/yuin/goldmark/v@v1.7.4: Get "https://proxy.golang.org/github.com/yuin/goldmark/@v/v1.7.4.zip": tls: failed to verify certificate: x509: certificate signed by unknown authority
However, if I visit https://proxy.golang.org/github.com/yuin/goldmark/@v/v1.7.4.zip in my browser, the module is downloaded without a TLS error.
Here’s my Dockerfile, which I’ve placed in my project’s root directory:
FROM golang:latest as builder RUN mkdir /app COPY . /app WORKDIR /app # This step fails: RUN CGO_ENABLED=0 go build -o myApp ./main RUN chmod +x /app/myApp CMD [ "/app/myApp" ]
The Solution
The most likely cause of this error is a mismatch between the CA certificates installed on your host device and the CA certificates installed in the docker container.
These could either be generic CA certificates or ones specific to your network. Many corporate networks require custom CA certificates to be installed, which are used to proxy all or most TLS traffic on the network.
If the issue is caused by missing generic certificates, you can fix it by installing the ca-certificates package before building your application:
FROM golang:latest as builder RUN mkdir /app COPY . /app WORKDIR /app # new step: RUN apt install ca-certificates RUN CGO_ENABLED=0 go build -o myApp ./main RUN chmod +x /app/myApp CMD [ "/app/myApp" ]
If you encounter the same error after this change, the issue is network-specific and you likely need to install a CA certificate specific to your corporate network.
Many corporate networks require custom CA certificates, which are used to proxy all or most TLS traffic on the network.
If you’re using Google Chrome, Brave, Edge, or another Chromium-based browser, download the certificate as follows:
- Visit the URL from the error message.
- Click the View site information icon on the left side of the address bar.
- Click Connection is secure and then Certificate is valid.
- In the window that appears, visit the Details tab and click Export…
- Save the certificate file to your project’s root directory.
If you’re using Firefox, download the certificate as follows:
- Visit the URL from the error message.
- Click the padlock icon on the left side of the address bar.
- Click Connection secure and then More information.
- In the window that appears, click View Certificate.
- Scroll down until you see a link that says PEM (chain).
- Click that link to download the certificate, and then move the file to your project’s root directory.
Now that you have the certificate, you can copy it into your container by changing the Dockerfile as below:
FROM golang:latest as builder RUN mkdir /app COPY . /app WORKDIR /app # install generic certificates: RUN apt install ca-certificates # install corporate certificate: COPY downloaded-cert.pem /etc/ssl/certs/downloaded-cert.pem RUN CGO_ENABLED=0 go build -o myApp ./main RUN chmod +x /app/myApp CMD [ "/app/myApp" ]
It should now be possible to build the container without further TLS errors.
- SentryGo Error Tracking and Performance Monitoring
- Syntax.fmListen to the Syntax Podcast
- Listen to the Syntax Podcast
![Syntax.fm logo]()
Tasty treats for web developers brought to you by Sentry. Get tips and tricks from Wes Bos and Scott Tolinski.
SEE EPISODES
Considered “not bad” by 4 million developers and more than 100,000 organizations worldwide, Sentry provides code-level observability to many of the world’s best-known companies like Disney, Peloton, Cloudflare, Eventbrite, Slack, Supercell, and Rockstar Games. Each month we process billions of exceptions from the most popular products on the internet.
A peek at your privacy
Here’s a quick look at how Sentry handles your personal information (PII).
×Who we collect PII from
We collect PII about people browsing our website, users of the Sentry service, prospective customers, and people who otherwise interact with us.
What if my PII is included in data sent to Sentry by a Sentry customer (e.g., someone using Sentry to monitor their app)? In this case you have to contact the Sentry customer (e.g., the maker of the app). We do not control the data that is sent to us through the Sentry service for the purposes of application monitoring.
Am I included?PII we may collect about you
- PII provided by you and related to your
- Account, profile, and login
- Requests and inquiries
- Purchases
- PII collected from your device and usage
- PII collected from third parties (e.g., social media)
How we use your PII
- To operate our site and service
- To protect and improve our site and service
- To provide customer care and support
- To communicate with you
- For other purposes (that we inform you of at collection)
Third parties who receive your PII
We may disclose your PII to the following type of recipients:
- Subsidiaries and other affiliates
- Service providers
- Partners (go-to-market, analytics)
- Third-party platforms (when you connect them to our service)
- Governmental authorities (where necessary)
- An actual or potential buyer
We use cookies (but not for advertising)
- We do not use advertising or targeting cookies
- We use necessary cookies to run and improve our site and service
- You can disable cookies but this can impact your use or access to certain parts of our site and service
Know your rights
You may have the following rights related to your PII:
- Access, correct, and update
- Object to or restrict processing
- Port over
- Opt-out of marketing
- Be forgotten by Sentry
- Withdraw your consent
- Complain about us
If you have any questions or concerns about your privacy at Sentry, please email us at compliance@sentry.io.
If you are a California resident, see our Supplemental notice.