Go's TLS cannot find root certs in 1.6.2-alpine

[jmhodges]

When trying to port to golang:1.6.2-alpine from golang:1.6.2, the Go HTTP client gets errors like:

x509: failed to load system roots and no roots provided

when making HTTPS requests.

Minimum case:

In the Dockerfile:

FROM golang:1.6.2-alpine
CMD ["sh"]`

And then run go run foo.go with a foo.go of

package main

import (
    "fmt"
    "net/http"
)

func main() {
    _, err := http.Get("https://www.google.com")
    fmt.Printf("welp %s\n", err)
}

[jmhodges]

I see that there's an attempt to install ca-certificates in the the golang:1.6.2-alpine Dockerfile, but it doesn't seem to be enough. I don't know why. Perhaps, the place where alpine puts that package's contents isn't in the list that Go checks?

[jmhodges]

I see that there's an attempt to install ca-certificates in the the golang:1.6.2-alpine Dockerfile, but it doesn't seem to be enough. I don't know why. Perhaps, the place where alpine puts that package's contents isn't in the list that Go checks?

[yosifkit]

ca-certificates gets removed with the rest of the build-deps. Looks like we need to specifically install and keep it if that is what is generally desired and expected on the super slim alpine images.

[yosifkit]

ca-certificates gets removed with the rest of the build-deps. Looks like we need to specifically install and keep it if that is what is generally desired and expected on the super slim alpine images.

[yosifkit]

It seems that I forgot that it is on purpose: #96 (comment)

[yosifkit]

It seems that I forgot that it is on purpose: #96 (comment)

[jmhodges]

Well, for evidence that including them might be nice, I don't have a Go container in production that doesn't do HTTPS requests (for SAAS logs, etc.).

[jmhodges]

Well, for evidence that including them might be nice, I don't have a Go container in production that doesn't do HTTPS requests (for SAAS logs, etc.).

[capkurmagati]

@yosifkit The problem to me is that the images changes its behaviour without any notification(e.g. create a tag).
I used to deploy my https services based on alpine images, but it doesn't work now.
From the immutable point of view, I think we need to do something.

[capkurmagati]

@yosifkit The problem to me is that the images changes its behaviour without any notification(e.g. create a tag).
I used to deploy my https services based on alpine images, but it doesn't work now.
From the immutable point of view, I think we need to do something.

[yosifkit]

This is a duplicate of #96. As I mentioned over there, the ca-certs problem stems from the update to alpine:3.4.

As for immutable image tags, you should probably look in to pulling images by digest. A full history of shas for each official image are in the docs: https://github.com/docker-library/docs/blob/master/golang/tag-details.md.

[yosifkit]

This is a duplicate of #96. As I mentioned over there, the ca-certs problem stems from the update to alpine:3.4.

As for immutable image tags, you should probably look in to pulling images by digest. A full history of shas for each official image are in the docs: https://github.com/docker-library/docs/blob/master/golang/tag-details.md.

[yosifkit]

Closing as duplicate

[yosifkit]

Closing as duplicate

[jmhodges]

Go is one of the few runtimes that had correctly working HTTPS clients working out of the box because it does the work of looking for the OS's root certs. People are more likely to enable insecure certificate verification than figure out how to fix this. Since these are the official Go images, not including the root certificates would have outsized impact on the community.

Please add the certs.

[jmhodges]

Go is one of the few runtimes that had correctly working HTTPS clients working out of the box because it does the work of looking for the OS's root certs. People are more likely to enable insecure certificate verification than figure out how to fix this. Since these are the official Go images, not including the root certificates would have outsized impact on the community.

Please add the certs.

[jmhodges]

Also, I should note that adding just the certs adds only 0.621 MB to the 272MB image.

[jmhodges]

Also, I should note that adding just the certs adds only 0.621 MB to the 272MB image.