earthly: SSL/TLS trust issues: unable to add custom certificates or disable verification
Hi, I’m working in a corporate environment where I need to specify the certificates which should be used for verification of remote connections. Unfortunately, right now I can’t pull from internal registries since I get the following error:
...snip...
r/r/ubi8:latest | --> Load metadata linux/amd64
r/r/ubi8:latest | WARN: (Load metadata linux/amd64) failed to do request: Head https://REGISTRY/PATH: x509: certificate signed by unknown authority
Error: failed to do request: Head https://REGISTRY/PATH: x509: certificate signed by unknown authority
Since the registry is contacted every time regardless of local image presence (outlined further here in #345), it appears that I have a blocker to adopting Earthly.
How can I provide more information to troubleshooting this? I would be happy to try some things out, as well. I really appreciate all of your time and efforts.
Thanks, +Jonathan
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 20 (11 by maintainers)
Are you still running with a config such as https://github.com/earthly/earthly/issues/796#issuecomment-786116009 ? Or can you share an example if it’s changed?
Could it be that your custom pems do not contain a root level cert for github?
Perhaps you can try running
to see if wget works within the same container?
Holy monkey, that was it. You’re all good and I just wanted to say thanks for helping me look at this enough to find the problem!
Take it easy!
Thanks, +Jonathan
Hi @yonkeltron - the next release of Earthly will have support for this via the configuration shown in https://github.com/earthly/earthly/pull/797. Let me know if this works for you once you give it a try.
Note that you will also be able to use an insecure registry
and use
SAVE IMAGE --insecure <registry-hostname>/<image:tag>in Earthfiles. It doesn’t sound like your use-case but I wrote this here in case someone finds this on Google.