我有一个这种格式的多阶段docker文件,我试图在其中向docker映像添加一个自己生成的CA证书。
FROM golang:1.13 as builder
RUN cp myCA.crt /usr/local/share/ca-certificates/
RUN update-ca-certificates
# Few more lines here that copy some files I cannot mention
FROM docker.io/alpine@sha256:a15790640a6690aa1730c38cf0a440e2aa44aaca9b0e8931a9f2b0d7cc90fd65
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
# Entrypoint command that I cannot mention
我注意到,当我基于构建的映像启动docker容器并将exec放入其中,并卷曲一个证书由myCA.crt签名的https端点时,我得到了
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html
但我没想到会得到这个,因为在构建映像时,我确实看到CA证书被添加到CA证书的可信列表中
Step 6/20 : RUN update-ca-certificates
---> Running in af768d679d17
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
此外,我进行了故障排除,并确认在构建的映像的CA-certificates.crt中根本找不到指示的CA证书。
我还为图像golang:1.13启动了一个docker容器,并重复了添加所示CA证书的步骤,我能够卷曲相同的端点而没有任何错误。
我会错过什么?
我最终将myCA.crt复制到Dockerfile的第二阶段,并运行更新ca证书
COPY --from=builder /usr/local/share/ca-certificates/myCA.crt /usr/local/share/ca-certificates/myCA.crt
RUN apk add ca-certificates && apk update && update-ca-certificates
CA证书已在CA证书.crt 中更新