Search code examples
sslcacertsearthly

Self Signed Certificates in Earthly


I wanted to use earthly on corporate network that uses SSL probing that issues self-signed certificates. I have custom ca-cert pem file, which I have been using successfully with other tools and toolchains like python, curl, etc.

I am not able to configure it with earthly though. Documentation says that this could be done in earthly config at $HOME/.earthly/config.yml, so I followed it and my config file looks like

global:
  buildkit_additional_args:
    - "-v"
    - "/Users/maca/.config/corporate/cert/cacerts"

No matter what I try, I am getting this error

    ongoing |
            internal | --> GIT CLONE https://github.com/earthly/hello-world.git
            internal | --> docker-image://docker.io/alpine/git:v2.30.1
            internal | [          ] resolve docker.io/alpine/git:v2.30.1 ... 0%
            internal | fatal: unable to access 'https://github.com/earthly/hello-world.git/': SSL certificate problem: self signed certificate in certificate chain
            internal | WARN: (GIT CLONE https://github.com/earthly/hello-world.git) error fetching default branch for repository https://github.com/earthly/hello-world.git: exit status 128
            internal | Completed in 121.889053ms
            internal | WARN: Canceled
            internal | Completed in 122.010694ms
            internal | [██████████] resolve docker.io/alpine/git:v2.30.1 ... 100%
Summary of timing information
Note that the times do not include the expansion of commands like BUILD, FROM, COPY (artifact).
            internal | () 243.899747ms
===============================================================
Total           243.899747ms
Total (real)    1m15.652038067s
Error stack trace:
github.com/moby/buildkit/util/stack.Enable
    github.com/moby/[email protected]/util/stack/stack.go:77
github.com/moby/buildkit/util/grpcerrors.FromGRPC
    github.com/moby/[email protected]/util/grpcerrors/grpcerrors.go:188
github.com/moby/buildkit/util/grpcerrors.UnaryClientInterceptor
    github.com/moby/[email protected]/util/grpcerrors/intercept.go:41
google.golang.org/grpc.(*ClientConn).Invoke
    google.golang.org/[email protected]/call.go:35
github.com/moby/buildkit/api/services/control.(*controlClient).Solve
    github.com/moby/[email protected]/api/services/control/control.pb.go:1321
github.com/moby/buildkit/client.(*Client).solve.func2
    github.com/moby/[email protected]/client/solve.go:215
golang.org/x/sync/errgroup.(*Group).Go.func1
    golang.org/x/[email protected]/errgroup/errgroup.go:57
runtime.goexit
    runtime/asm_amd64.s:1371

It seems like earthly is ignoring my cacerts file. Does anyone know how to solve that?


Solution

  • You'll need to do more than just mount the certs directory; Buildkit does not pick them up. To specify custom certificates for a registry, The documentation you linked details how you can use a custom self-signed certificate with a singular Docker Registry, and not in this more general case across a whole build. You can use these docs if you need to push or pull from a registry with custom certificates. Do not forget the additional configuration in buildkit_additional_config if this needs to be configured in your situation.

    Now, on to why +hello-world is failing. The GIT CLONE command uses git under the hood. While git on your local machine may be configured to use these custom certificates, the git inside the build here is different, and does not share the same certificate configuration. You'll need to bring in the certificates manually via a COPY, or using a --secret/--secret-file/--build-arg to make it accessible, depending on your use case.

    We have some examples in our unit tests that cover this use case. Here is using one with a custom clone over HTTPS using a custom cert; and here is how we are adding a custom cert to a build.