I'm getting below error while downloading.
go get github.com/go-sql-driver/mysql: module github.com/go-sql-driver/mysql: Get "https://proxy.golang.org/github.com/go-sql-driver/mysql/#v/list": x509: certificate signed by unknown authority
Go version - 1.13/1.15(tried both)
OS - Ubuntu 18
Tried update ca-certificates as well
Can anyone help me out?
Check first the context in which this error pops up:
go version
execution environment (shell).
For instance, this error pops up during Docker build instance, where the Dockerfile uses an image without certificates installed, as in golang/go issue 35702.
Said Dockerfile would need:
RUN apk update && apk add --no-cache git ca-certificates && update-ca-certificates
Related
I have am using docker-compose along with a Dockerfile to install a connector. I have been successful in installing connectors from Confluent Hub, but not my own jar files.
Here is what I did:
Went to https://search.maven.org/artifact/io.aiven/aiven-kafka-connect-gcs/0.7.0/jar and in the upper right corner, pressed Downloads and clicked on "jar"
Placed this file in the same folder as my Dockerfile
Ran my Dockerfile:
ENV CONNECT_PLUGIN_PATH="/usr/share/java,/usr/share/confluent-hub-components"
USER root
COPY --chown=appuser:appuser aiven-kafka-connect-gcs-0.7.0.jar /usr/share/confluent-hub-components
USER appuser
RUN confluent-hub install --no-prompt aiven/kafka-connect-gcs:0.7.0
I have also tried various confluent-hub install commands, including:
RUN confluent-hub install --no-prompt aiven-kafka-connect-gcs:0.7.0
RUN confluent-hub install --no-prompt confluent-hub-components/aiven-kafka-connect-gcs-0.7.0.jar
RUN confluent-hub install --no-prompt aiven-kafka-connect-gcs-0.7.0.jar
all to no avail. I did try other directories like /etc/kafka-connect/jars and I just keep getting the same issue.
What am I doing wrong? Syntax? Missing additional mounting commands? Something else?
confluent-hub doesn't "install" local JAR files
By default, it uses its arguments to do an HTTP lookup against the Confluent Hub website and return the according response. If it's a valid connector, it'll extract it to the plugin path, otherwise, you'll get an error
If you give it a local ZIP, that will work
path to a local ZIP file that was downloaded from Confluent Hub
This is how I did it:
RUN wget -O /set/your/path/here/<connector name here>.tar https://url-of-connector-here/<connector name and version here>.tar
RUN tar -xvf /set/your/path/here/<connector name here>.tar --directory /path/to/connect/plugins/here/
and it worked.
Last Friday I started seeing issues (on an environment that has been live for months) this issue on ruby on this docker image:
RestClient::SSLCertificateNotVerified: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
I then proceeded trying adding a custom PEM (wget https://curl.se/ca/cacert.pem) to link in the environment variable SSL_CERT_FILE (as explained in many other stack overflow questions).
but I get:
bash-4.4# wget https://curl.se/ca/cacert.pem
Connecting to curl.se (151.101.2.49:443)
ssl_client: curl.se: certificate verification failed: certificate has expired
wget: error getting response: Connection reset by peer
I tried saving the file on my local machine then docker cp it to the container, but that didn't help either.
I tried running the console with:
bash-4.4# SSL_CERT_FILE=/cacert.pem bundle exec rails c
irb(main):001:0> RestClient.get('https://curl.se/ca/cacert.pem', headers={})
RestClient.get "https://curl.se/ca/cacert.pem", "Accept"=>"*/*", "Accept-Encoding"=>"gzip, deflate", "User-Agent"=>"rest-client/2.0.2 (linux-musl x86_64) ruby/2.3.8p459"
RestClient::SSLCertificateNotVerified: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
I tried running update-ca-certificates both manually in the console, and in the dockerfile, but I get:
bash-4.4# update-ca-certificates
WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping
When I tried this with the cacert.pem copied to the container as above, update-ca-certificates added a warning to that file too, similar to the ca-certificates.crt one.
the issue doesn't seem to improve with anything.
running
curl -Lks 'https://git.io/rg-ssl' | ruby
say it's all ok, and all (3) green checks
any ideas?
Thanks.
update
I think this issue might be related to lets encrypt expiring their root certificate, I tried the first workaround they recommend, by deleting the file on a container, and also deleting it on the dockerfile, then running update-ca-certificates this didn't help either. I'm not sure how to go about the other two workarounds.
If you are on debian 9, I would recommend you to update it. Otherwise, this is my workaround solution for my image.
# Temporarily fix wrong let's encrypt R3 chain because it's chained to an expired old root CA (DST Root CA X3) on debian 9
RUN sed -i -E 's/(.*DST_Root_CA_X3.*)/!\1/' /etc/ca-certificates.conf
ADD https://letsencrypt.org/certs/isrgrootx1.pem /usr/local/share/ca-certificates/isrgrootx1.pem
RUN update-ca-certificates
FYI: there is a bug on OpenSSL 1.0.2g that causes the issue https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ some platforms have released the workaround fix and you just need to upgrade latest ca-certificates and latest libgnutls30. It would be better if you can upgrade to a more recent OpenSSL.
A way to fix the issue would be to run on the container's console:
apt update && apt install ca-certificates
However, this would be a Docker antipattern, as the changes would be lost when at the container deletion.
The better way would be to rebuild the image from the Dockerfile that you have linked in your question (with docker build), then deleting and recreating the container from the new image.
I had a requirement to rename my mac homefolder, however now when I try to run:
ddev start
I'm getting the following error (which is pointing to the older homefolder name gregmercer):
~/Desktop/ddev/locals/gsb-3/public-website (develop) $ ddev start
Starting gsb-d8...
Using custom nginx configuration in /Users/gmercer/Desktop/ddev/locals/gsb-3/public-website/.ddev/nginx_full/nginx-site.conf
Custom configuration takes effect when container is created,
usually on start, use 'ddev restart' if you're not seeing it take effect.
Failed to open /Users/gregmercer/Library/Application Support/mkcert: open /Users/gregmercer/Library/Application Support/mkcert: no such file or directory
I've tried upgrading ddev, but that didn't seem to help.
I've run mkcert -install, and run mkcert -CAROOT. The last command seems to show the correct path to my newly named homefolder gmercer
~/Desktop/ddev/locals/gsb-3/public-website (develop) $ mkcert -CAROOT
/Users/gmercer/Library/Application Support/mkcert
At this point I'm not sure what to try. Any ideas?
Your mkcert CA has been orphaned.
Please try mkcert -uninstall and then mkcert -install
Then edit or remove the existing mkcert_caroot in your ~/.ddev/global_config.yaml
while attempting to build an image in Docker/macOS, I get the following error:
failed to compute cache key: failed to create hash for
/app-temp/client/dist: operation not supported
My Dockerfile looks like this:
FROM node:lts-alpine as ui-build
WORKDIR /app-temp
COPY client/ ./client/
RUN cd client && npm install
RUN cd client && npm run build
FROM node:lts-alpine as api-build
WORKDIR /app
COPY --from=ui-build /app-temp/client/dist ./client/dist
COPY server/ ./server/
RUN cd server && npm install
EXPOSE 3000
CMD ["node", "/app/server/src/index.js"]
And the docker command that I am using is:
docker build -t test-image .
Now, note that the image is successfully built in a Linux machine. However, the above-mentioned error persists in a macOS machine.
I am running macOS Big Sur 11.2.1.
Any ideas as to how solve this problem?
Thanks in advance.
just in case someone else finds himself here
Look in your .dockerignore file if dist is in the list
Also, try building with BUILDKIT disabled
DOCKER_BUILDKIT=0 docker build ....
Im gonna throw my solution out there.
Setup: .net 5 web app with docker enabled, contains a dockerfile that was created by visual studio.
There was a step where the docker file was saying to copy my csproj up to the parent folder. I edited the source directory to from parent/myproject.csproj to myproject.csproj then I ran docker build and it worked.
Im assuming that when I run docker build I was down one level in the child folder where the dockerfile lives, and the paths just werent lining up.
I'm trying to build a Docker image from a Dockerfile. The image is based on the latest node:alpine image. It installs Ruby and a few gems on top of it. Here is the Dockerfile:
FROM node:alpine
ENV BUNDLE_SILENCE_ROOT_WARNING=1 BUNDLE_APP_CONFIG=/usr/local/bundle \
BUNDLE_BIN=/usr/local/bundle/bin BUNDLE_PATH=/usr/local/bundle
RUN apk add ruby ruby-io-console ruby-bundler ca-certificates \
build-base ruby-dev ruby-json libffi-dev \
python zlib-dev --no-cache && \
update-ca-certificates
WORKDIR /opt/middleman
COPY Gemfile* ./
RUN bundle install --clean
COPY package.json ./
RUN npm install
I can build the image on Linux and MacOS, but on Windows bundler fails randomly, on a different gem every time, with the following message:
Gem::RemoteFetcher::FetchError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A (https://rubygems.org/gems/rack-2.0.1.gem)
I've googled the SSL error and most solutions suggest installing some SSL certificates. However, in my case the base Docker image is the same. Only the Docker host OS is different. And if the problem were the SSL certs, bundler would always fail on the first gem not a random one each time. So my guess is there's something wrong when Docker runs on Windows, but I have run out of ideas. Any help?
PS: I've made sure that all machines have the same snapshot of node:alpine which happens to be this:
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
node alpine 37434f668ea8 30 hours ago 55.3 MB
Update:
I also tried building the quick-start Rails image and it fails.
I tried building the quick-start image with the older Docker Toolbox which uses VirtualBox instead of Hyper-V. It failed again, each time on a different gem, but the error is now different:
Gem::RemoteFetcher::FetchError: Errno::ECONNRESET: Connection reset by peer - SSL_connect (https://rubygems.org/gems/minitest-5.10.1.gem)
Still an SSL error, though.
Thanks for all your comments. I finally found the culprit. It's a "feature" of my Killer Wireless card... For future reference, I had to disable "Advanced Stream Detect" in the "Killer Network Manager" app. Here's a screenshot:
They should probably call it SSL killer.