apko build and publish tls: failed to verify certificate
Conor-Behard333 opened this issue · 4 comments
Currently the apko cli does not have any options to provide certificates when pulling from a self-hosted apk registry when building an image (apko build) or when pushing to a self-hosted registry instance (apko publish).
resulting in the following error:
failed to fetch apk key: Get "<self-hosted-registry-artefact>": Head "<self-hosted-registry-artefact>": tls: failed to verify certificate: x509: certificate signed by unknown authority
Are these options able to be added to the cli?
This is technically feasible, and if it would help folks to add them then it seems worth adding.
However, this isn't a feature of apko we'd use ourselves, so we're probably unlikely to prioritize adding it at this time. If you feel compelled to send a PR I can review it and get it in, but other than that I can't make many promises, sorry.
If there's a common pattern for passing custom certs, it would be good to follow that pattern if you're interested in adding that to apko.
@Conor-Behard333 are you on Linux? Because all go binaries (of which apko is one) support these environment variables
// SystemCertPool returns a copy of the system cert pool.
//
// On Unix systems other than macOS the environment variables SSL_CERT_FILE and
// SSL_CERT_DIR can be used to override the system default locations for the SSL
// certificate file and SSL certificate files directory, respectively. The
// latter can be a colon-separated list.
//
// Any mutations to the returned pool are not written to disk and do not affect
// any other pool returned by SystemCertPool.
//
// New changes in the system cert pool might not be reflected in subsequent calls.
Alternatively, you can enroll the certificate into the system CA store and it should also work. (Mac OS X user keychain?! and Windows Certificate store ?! or update-ca-certs on most linuxes)
Please let me know if above environment variables work for you.
Yes it was in a linux container and setting the SSL_CERT_DIR/SSL_CERT_FILE variable worked, thank you!
Normally we would just add the certs to the trust store, but its is a hardened image where the user doesn't have the perms to add and update the cert store.
Yes it was in a linux container and setting the SSL_CERT_DIR/SSL_CERT_FILE variable worked, thank you!
Normally we would just add the certs to the trust store, but its is a hardened image where the user doesn't have the perms to add and update the cert store.
I recommend https://images.chainguard.dev/directory/image/apko/versions ;-) which has zero-CVEs and is a hardened image. But it is very self-referencing. We do preset SSL_CERT_FILE variable there too, to both document the location of the certs and which ones are being used by default.