skaffold: x509: certificate signed by unknown authority when using Jib (MacOS)

Most of the issues that talked about this error was using kaniko, so I decided to make a separate one for Jib.

While the certificate is loaded on Java (for Jib) and OS’s CA I still get x509 certificate error after Jib build. Seems that the error comes when skaffold tries to pull the image from the registry after jib has successfully pull, build and push the image.

Containerizing application to xxx/dev/yyy...
Base image 'xxx/dev/tomcat:7.0.96-jdk8-adoptopenjdk-hotspot' does not use a specific image digest - build may not be reproducible
Retrieving registry credentials for xxx...
Getting manifest for base image xxx/dev/tomcat:7.0.96-jdk8-adoptopenjdk-hotspot...
Building dependencies layer...
Building resources layer...
Building classes layer...
Building extra files layer...
The base image requires auth. Trying again for xxx/dev/tomcat:7.0.96-jdk8-adoptopenjdk-hotspot...
Retrieving registry credentials for xxx...
Using base image with digest: sha256:8a83f6b072f390810ee7b28b55ab781cabacb583dbf6ee523a648ae1c066b399

Container entrypoint set to [/bin/bash] (inherited from base image)

Built and pushed image as xxx/dev/yyy

BUILD SUCCESSFUL in 9s

I already tried some workarounds that I saw on different issues with no luck like creating my own .cert, .pem, .key and providing them with DOCKER_TLS, DOCKER_CERT_PATH and DOCKER_HOST but had no luck.

Expected behavior

Use the certificate from operating system’s certificate authority and pull the image.

Actual behavior

Getting x509 error when at build artifact step. Logs do not provide much information about the failing buid. This is right after the successful build with debug verbosity.

FATA[0036] failed to build: build failed: build failed: building [xxx/dev/yyy]: build artifact: getting image: Get https://xxx/v2/: x509: certificate signed by unknown authority

Information

  • Skaffold version: v0.40.0
  • Operating system: MacOS Sierra
  • Docker: Non installed
  • Registry: Harbor
  • Contents of skaffold.yaml:
apiVersion: skaffold/v1beta16
kind: Config
build:
  tagPolicy:
    sha256: {}
  artifacts:
    - image: xxx/dev/yyy
      jib:
        project: yyy
        args:
          - --no-scan
deploy:
  helm:
    releases:
      - name: release
        chartPath: helm-chart
        values:
          apps.yyy.image: xxx/dev/yyy
        valuesFiles:
          - values-dev.yaml

Steps to reproduce the behavior

  1. Have a registry with self-signed certificate
  2. Load it to Java and OS’s CA and build with Jib normally
  3. Try to pull/push with HTTPS on skaffold

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 19 (9 by maintainers)

Most upvoted comments

any updates on this? I’m still having this issue

+1
whodevil on Feb 14, 2020

@slowr As a workaround - can you try if --cache-artifacts=false helps with the post-failure - I think that is code path that is trying to get the remote config from the registry and fails…

+1
balopat on Oct 24, 2019
Read more comments on GitHub
← skaffold: x509: certificate signed by unknown authority
fontmake: contours of zero width can't be exported into a variable font →