New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x509: failed to load system roots and no roots provided #126

Closed
funnythingz opened this Issue May 8, 2015 · 7 comments

Comments

Projects
None yet
5 participants
@funnythingz

funnythingz commented May 8, 2015

Hi

Goji is cool software.
I have a question.

x509: failed to load system roots and no roots provided
This error is when image put to S3 run on docker

I heal Maybe this
https://medium.com/@kelseyhightower/optimizing-docker-images-for-static-binaries-b5696e26eb07

pool = x509.NewCertPool()
pool.AppendCertsFromPEM(pemCerts)
client = &http.Client{
    Transport: &http.Transport{
        TLSClientConfig: &tls.Config{RootCAs: pool},
    },
}

use doing what this in goji?

Thanks!

@elithrar

This comment has been minimized.

Contributor

elithrar commented May 8, 2015

Can you post the contents of the Dockerfile your image is using?

As Kelsey points out in that article - if you're using a really minimal
image, you don't get cgo support (
http://dominik.honnef.co/posts/2013/12/cross_compiling_go_and_hidden_uses_of_cgo/)
nor the root CA certificates.

You need to copy the root CA's from somewhere else (i.e. a larger image -
i.e. Debian full), store them in your smaller image and then call
x509.NewCertPool(). You'll see that the pemCerts variable is a global
that just statically dumps the root CA certificates into the source (
https://github.com/kelseyhightower/contributors/blob/master/certs.go) - but
you could also put them into a file and read that in init() too.

A simpler solution is to use a full image like the 85MB Debian image and
"wear" the extra ~80MB of disk space in exchange for simpler deployment:
https://registry.hub.docker.com/_/debian/

Hope that helps. If it's not clear, post your Dockerfile :)

On Fri, May 8, 2015 at 9:24 AM Hiroki Oiwa notifications@github.com wrote:

Hi

Goji is cool software.
I have a question.

x509: failed to load system roots and no roots provided
This error is when image put to S3 run on docker

I heal Maybe this

https://medium.com/@kelseyhightower/optimizing-docker-images-for-static-binaries-b5696e26eb07

pool = x509.NewCertPool()
pool.AppendCertsFromPEM(pemCerts)
client = &http.Client{
Transport: &http.Transport{
TLSClientConfig: &tls.Config{RootCAs: pool},
},
}

use doing what this in goji?

Thanks!


Reply to this email directly or view it on GitHub
#126.

@elithrar

This comment has been minimized.

Contributor

elithrar commented May 8, 2015

PS: This isn't really a Goji-related issue but happy to help you get up and
running with Goji nonetheless.

On Fri, May 8, 2015 at 9:32 AM Matt S matt@eatsleeprepeat.net wrote:

Can you post the contents of the Dockerfile your image is using?

As Kelsey points out in that article - if you're using a really minimal
image, you don't get cgo support (
http://dominik.honnef.co/posts/2013/12/cross_compiling_go_and_hidden_uses_of_cgo/)
nor the root CA certificates.

You need to copy the root CA's from somewhere else (i.e. a larger image -
i.e. Debian full), store them in your smaller image and then call
x509.NewCertPool(). You'll see that the pemCerts variable is a global
that just statically dumps the root CA certificates into the source (
https://github.com/kelseyhightower/contributors/blob/master/certs.go) -
but you could also put them into a file and read that in init() too.

A simpler solution is to use a full image like the 85MB Debian image and
"wear" the extra ~80MB of disk space in exchange for simpler deployment:
https://registry.hub.docker.com/_/debian/

Hope that helps. If it's not clear, post your Dockerfile :)

On Fri, May 8, 2015 at 9:24 AM Hiroki Oiwa notifications@github.com
wrote:

Hi

Goji is cool software.
I have a question.

x509: failed to load system roots and no roots provided
This error is when image put to S3 run on docker

I heal Maybe this

https://medium.com/@kelseyhightower/optimizing-docker-images-for-static-binaries-b5696e26eb07

pool = x509.NewCertPool()
pool.AppendCertsFromPEM(pemCerts)
client = &http.Client{
Transport: &http.Transport{
TLSClientConfig: &tls.Config{RootCAs: pool},
},
}

use doing what this in goji?

Thanks!


Reply to this email directly or view it on GitHub
#126.

@funnythingz

This comment has been minimized.

funnythingz commented May 8, 2015

@elithrar Thank you message!

I make not Dockerfile.
docker image is scratch image.

// local client
$ GOOS=linux go build -o ./app
$ tar cvfz app.tar.gz ./app
// CoreOS on EC2
$ cat app.tar.gz | docker import - app
$ docker run -d -p 80:8000 app /app

A simpler solution is to use a full image like the 85MB Debian image and
"wear" the extra ~80MB of disk space in exchange for simpler deployment:

I think this it is proposed a Better.

Thanks!!

@funnythingz funnythingz closed this May 8, 2015

@funnythingz

This comment has been minimized.

funnythingz commented May 8, 2015

@elithrar
As a result of various trial from there , it was resolved

$ docker run -v '/etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt' -d -p 80:8000 app /app

To you I will very grateful.
Thanks!

@orian

This comment has been minimized.

orian commented Feb 12, 2016

apt-get install -y ca-certificates also helps

@rijnhard

This comment has been minimized.

rijnhard commented May 27, 2016

i had a similar issue, just reinstalling ca-certificates failed since the java keystore crashed half way through.

heres what i did
moby/moby#5157 (comment)

saifulwebid added a commit to saifulwebid/saifulwebid-hugo-source that referenced this issue Oct 30, 2016

@astromahi

This comment has been minimized.

astromahi commented Jan 4, 2017

Installing CA certificates resolved the issue (for alpine: apk add ca-certificates) .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment