I wanted to use earthly on corporate network that uses SSL probing that issues self-signed certificates. I have custom ca-cert pem file, which I have been using successfully with other tools and toolchains like python, curl, etc.
I am not able to configure it with earthly though. Documentation says that this could be done in earthly config at $HOME/.earthly/config.yml
, so I followed it and my config file looks like
global:
buildkit_additional_args:
- "-v"
- "/Users/maca/.config/corporate/cert/cacerts"
No matter what I try, I am getting this error
ongoing |
internal | --> GIT CLONE https://github.com/earthly/hello-world.git
internal | --> docker-image://docker.io/alpine/git:v2.30.1
internal | [ ] resolve docker.io/alpine/git:v2.30.1 ... 0%
internal | fatal: unable to access 'https://github.com/earthly/hello-world.git/': SSL certificate problem: self signed certificate in certificate chain
internal | WARN: (GIT CLONE https://github.com/earthly/hello-world.git) error fetching default branch for repository https://github.com/earthly/hello-world.git: exit status 128
internal | Completed in 121.889053ms
internal | WARN: Canceled
internal | Completed in 122.010694ms
internal | [██████████] resolve docker.io/alpine/git:v2.30.1 ... 100%
Summary of timing information
Note that the times do not include the expansion of commands like BUILD, FROM, COPY (artifact).
internal | () 243.899747ms
===============================================================
Total 243.899747ms
Total (real) 1m15.652038067s
Error stack trace:
github.com/moby/buildkit/util/stack.Enable
github.com/moby/[email protected]/util/stack/stack.go:77
github.com/moby/buildkit/util/grpcerrors.FromGRPC
github.com/moby/[email protected]/util/grpcerrors/grpcerrors.go:188
github.com/moby/buildkit/util/grpcerrors.UnaryClientInterceptor
github.com/moby/[email protected]/util/grpcerrors/intercept.go:41
google.golang.org/grpc.(*ClientConn).Invoke
google.golang.org/[email protected]/call.go:35
github.com/moby/buildkit/api/services/control.(*controlClient).Solve
github.com/moby/[email protected]/api/services/control/control.pb.go:1321
github.com/moby/buildkit/client.(*Client).solve.func2
github.com/moby/[email protected]/client/solve.go:215
golang.org/x/sync/errgroup.(*Group).Go.func1
golang.org/x/[email protected]/errgroup/errgroup.go:57
runtime.goexit
runtime/asm_amd64.s:1371
It seems like earthly is ignoring my cacerts file. Does anyone know how to solve that?
You'll need to do more than just mount the certs directory; Buildkit does not pick them up. To specify custom certificates for a registry, The documentation you linked details how you can use a custom self-signed certificate with a singular Docker Registry, and not in this more general case across a whole build. You can use these docs if you need to push or pull from a registry with custom certificates. Do not forget the additional configuration in buildkit_additional_config
if this needs to be configured in your situation.
Now, on to why +hello-world
is failing. The GIT CLONE
command uses git
under the hood. While git
on your local machine may be configured to use these custom certificates, the git
inside the build here is different, and does not share the same certificate configuration. You'll need to bring in the certificates manually via a COPY
, or using a --secret
/--secret-file
/--build-arg
to make it accessible, depending on your use case.
We have some examples in our unit tests that cover this use case. Here is using one with a custom clone over HTTPS using a custom cert; and here is how we are adding a custom cert to a build.