问题描述
我有一个这种格式的多阶段Dockerfile,我试图在该镜像中添加一个自行生成的CA证书。
FROM golang:1.13 as builder
RUN cp myCA.crt /usr/local/share/ca-certificates/
RUN update-ca-certificates
# Few more lines here that copy some files I cannot mention
FROM docker.io/alpine@sha256:a15790640a6690aa1730c38cf0a440e2aa44aaca9b0e8931a9f2b0d7cc90fd65
copY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
# Entrypoint command that I cannot mention
我注意到的是,当我基于构建的映像启动docker容器并执行到其中,并卷曲其证书由myCA.crt签名的https端点时,我得到了
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html
但是我没想到会得到这个,因为在构建映像时,我确实看到CA证书已被添加到CA证书的受信任列表中
Step 6/20 : RUN update-ca-certificates
---> Running in af768d679d17
Updating certificates in /etc/ssl/certs...
1 added,0 removed; done.
此外,我进行了故障排除并确认,在所构建映像的ca-certificates.crt中根本找不到指示的CA证书。
我还启动了映像golang:1.13的docker容器,并重复了添加所示CA证书的步骤,并且能够卷曲相同的端点而没有任何错误。
我可能会缺少什么?
解决方法
我最终将myCA.crt复制到Dockerfile的第二阶段并运行update-ca-certificates
{% block head %}
<title>Pages</title>
{% endblock %}
{% block body %}
<h1>Images</h1>
{% for i in image %}
<img src="data:image/png;base64,{{ i }}" width="500">
{% endfor %}
{% endblock %}
,并且CA证书已在ca-certificates.crt中更新