X509:Certificate Signed by Unknown Authority & Go Docker & EKS

Eric Wei
2 Min To Read
25 Oct, 2021
- Aws
- Eks
- Docker

If you encountered an issue below, your go application on EKS failed to send an HTTP request to other services.

Problem:x509: certificate signed by unknown authority_

This is due to the fact that your HTTP library failed to read the CA certificate in setting up SSL communication with other services. Then we can suspect missing or incorrect CA certificate is the cause of this problem.

Debug Step:

Check whether your ca-certificates are packed to the Docker image or not.
If not, you can install ca-certificates as below in the DockerFile.

RUN apk add --update --no-cache ca-certificates

If you use multiple-stage to build go application to reduce the size of the docker image, remember to add the whole folder /etc/ssl/certs to your docker image **** as below.

FROM scratch  
WORKDIR /
COPY --from= _builder_ /etc/ssl/certs./etc/ssl/certs

How to build a lightweight go application with CA certificates in DockerFile for EKS?

Below show a complete example in DockerFile that you can build a lightweight go application and deploy it to AWS EKS or other kubectl platforms.

    
############################  
# STEP 1 build executable binary  
############################  
FROM golang:1.13.11-alpine AS _builder  
    
_ RUN apk add --update --no-cache ca-certificates git  
    
RUN apk --update add \  
    go \  
    musl-dev  
    
RUN mkdir /my-app  
WORKDIR /my-app  
    
COPY ./configs /my-app  
    
COPY go.mod .  
COPY go.sum .  
    
RUN go mod download  
COPY . .  
    
# Build the binary.  
RUN CGO_ENABLE=1 go build -a -ldflags "-linkmode external -extldflags '-static' -s -w" -o /go/bin/my-app-main  
    
RUN echo $(ls -1 /my-app/app)  
    
############################  
# STEP 2 build a small image  
############################  
FROM scratch  
    
WORKDIR /  
    
COPY --from= _builder_ /go/bin/my-app-main .  
COPY --from= _builder_ /my-app/configs ./configs  
COPY --from= _builder_ /etc/ssl/certs./etc/ssl/certs  
    
EXPOSE 8081  
    
ENTRYPOINT ["/my-app-main"]

I hope this tutorial can be helpful for you.

If you found this article helpful, please follow us on Facebook to get the latest tutorials in the future.

Thank you for reading!