Building using an image from a private repository results in "x509: certificate signed by unknown authority".

Question

Building using an image from a private repository results in "x509: certificate signed by unknown authority".

chriseaton opened this issue 3 years ago · 2 comments

When our docker file specifies an image in a private repo, it causes the oci-build-task to fail. As far I could tell there's no way to specify a custom CA.

ERROR: failed to do request: Head "https://our-private-repo/v2/shared/centos/manifests/latest": x509: certificate signed by unknown authority

Answer 1 · 2022-01-07T04:01:57.000Z

Here's a possible workaround, with the downside that you're basically forking the official oci-build-task image and using it in the interim:

Build your own oci-build-task image with a Dockerfile like this to add your ca.crt file to the image, and push to your private registry

FROM docker.io/concourse/oci-build-task:latest

COPY ca.crt /usr/local/share/ca-certificates/

RUN update-ca-certificates

In your pipeline specify your oci-build-task image in place of the official one

...
  - task: build-task-image
    privileged: true
    config:
      platform: linux
      image_resource:
        type: registry-image
        source:
          repository: fir.love.io:3005/amd64/oci-build-task
          # repository: concourse/oci-build-task
          tag: latest
...

Answer 2 · 2022-04-04T08:54:44.000Z

Related, that has a bit cleaner temporary solution that doesn't require making a custom image: #70 (comment)

Looking at the code, however, I believe adding an input for custom certs/ca should be pretty easy.