Grpc error unknown certificates authority

Hi!

I had a webapp hosted on google app engine standard, and because I now need to consume a websockets API I moved to Google Compute Engine with Google Datastore as a database.

so I create a Dockerfile

FROM scratch
COPY ./cmd ./
STOPSIGNAL SIGTERM
EXPOSE 80/tcp
EXPOSE 443/tcp
ENV GRPC_GO_LOG_SEVERITY_LEVEL INFO
CMD ["/hello-datastore"]

to embed my compiled app as a binary in a container and publish the image to a registry (google cloud registry). Then start an instance (VM) on Google Cloud Platform from the container’s image (Container-Optimized OS) and start the app.

in my main.go

//import the datastore client
import cloud.google.com/go/datastore

//create a new client
client, err := datastore.NewClient(ctx, *projectID)
if err != nil {
	log.Fatal(err)
}

//Puting an entity fails silently.
key := datastore.NameKey("testEntity", "milk", nil)
key.Namespace = "test"
task := &TestEntity{Description: "Buy milk"}
if _, err := client.Put(ctx, key, task); err != nil {
      log.Fatalf("Put: %v", err)
}

Setting GRPC_GO_LOG_SEVERITY_LEVEL to INFO shows details about the underlying grpc calls, and it fails with “x509: unknown certificate authority”.

INFO: 2018/12/24 15:40:25 Subchannel Connectivity change to CONNECTING
INFO: 2018/12/24 15:40:25 pickfirstBalancer: HandleSubConnStateChange: 0xc000167930, CONNECTING
WARNING: 2018/12/24 15:40:25 grpc: addrConn.createTransport failed to connect to {datastore.googleapis.com:44
3 0 }. Err :connection error: desc = “transport: authentication handshake failed: x509: certificate sig
ned by unknown authority”. Reconnecting…
INFO: 2018/12/24 15:40:25 Subchannel Connectivity change to TRANSIENT_FAILURE
INFO: 2018/12/24 15:40:25 pickfirstBalancer: HandleSubConnStateChange: 0xc000167930, TRANSIENT_FAILURE

Validating CA-issued certificates requires a “root store” that contains the CA certificates for the various trusted CA:s out there. Your OS will have one of these, but you’re not including it in the container. Hence the program running in the container cannot validate other certificates.

You need to add some package with root certificates to your container build.

2 Likes

Exactly! I just used a multi-stage Docker file, building from alpine:latest just to get the ca-certificates and copy it the the final image (based on scratch, attaching bin and /etc/ssl/certs/ca-certificates.crt)

Thanks

2 Likes

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.