setup-buildx-action: self signed certificates not working - "x509: certificate signed by unknown authority" error with private Docker repository
Behaviour
Steps to reproduce this issue
-
Create private Docker Registry with self signed certificates
-
Create Github runner with ca-certificate mounted into
/etc/docker/certs.d/docker-registry.actions-runner-system.svc\:5000/ca.crt, so that Docker can pull and push from a private registry with those certs -
Configure Github workflow yaml to use this certificate
- name: Setup docker context for buildx
id: buildx-context
run: docker context create builders || docker context use builders
- name: Copy ca cert
run: |
sudo cp /etc/docker/certs.d/docker-registry.actions-runner-system.svc\:5000/ca.crt /etc/ssl/certs/ca-certificates.crt
- name: Create BuildKit Configuration
run: |
cat <<EOF > buildkitd.toml
[registry."docker-registry.actions-runner-system.svc:5000"]
http = false
insecure = false
ca=["/etc/ssl/certs/ca-certificates.crt"]
EOF
- name: Setup Docker Buildx
id: setup_docker_buildx
uses: docker/setup-buildx-action@v1
with:
endpoint: builders
buildkitd-flags: --debug
config: buildkitd.toml
- name: Build and push (broker)
id: docker_build_broker
uses: docker/build-push-action@v2
with:
file: Dockerfile
push: false #deactivated for testing
tags: someOtherRegistry/app:test
cache-from: type=registry,ref=docker-registry.actions-runner-system.svc:5000/app:buildcache
cache-to: type=registry,ref=docker-registry.actions-runner-system.svc:5000/app:buildcache,mode=max
Expected behaviour
My expectation is that “setup-buildx-action” should take the ca-certs from the Runner and use them in the moby/buildkit:buildx-stable-1 Docker container, where the build-push-action is executed.
This is based on https://github.com/docker/buildx/pull/787#discussion_r734168450 - If I understood it correctly.
Actual behaviour
x509: certificate signed by unknown authority
Are my expectations are wrong or did I use some wrong configuration?
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 15 (2 by maintainers)
I don’t use github workflow or k8s so notation was not very clear. But yes I’ve managed to push the multi-arch image to secure repo. Created a
buildkitd.tomlfile and passed it while creating new buildx builder
Replace
ca=["/etc/ssl/certs/ca-certificates.crt"]withca=["/etc/pki/ca-trust/source/anchors/ca.crt"]for centos.Was still getting
x509: certificate signed by unknown authorityon other machines trying to pull push image directly (without buildx) to the registry, but that was due to certificate not being recognized event after commands below. Had to restart the machines for certificate to be recognized. Maybe logging in/out would be enough…Ubuntu:Centos:Thanks a lot, this worked! I think
buildxis so isolated from the host (compared tobuild) that it needs the reference to the new certificate.@erichorwath This has been fixed with https://github.com/docker/buildx/pull/787 and available since 0.7.0-rc1:
Let us know if it works. I will also open a PR to update our doc here when 0.7.0 is GA.
@lmussier we are not “execing” into the buildkit container.
Not sure, why it is failing for your case, but here is our workflow file:
please note, in our case “registry.actions-runner-system.svc:5000” is a Docker registry without password in the Kubernetes cluster not reachable from outside.
@crazy-max AWESOME!
With that workflow file, I was able to see that my custom ca certs have been copied to the buildkit container (running on Kubernetes):
And now, the Docker layers are successfully pulled from my local registry:
So, everything looks good to me!