buildkite-plugins / docker-compose-buildkite-plugin

🐳⚡️ Run build scripts, and build + push images, w/ Docker Compose
MIT License
172 stars 140 forks source link

buildkite-agent error `x509: certificate signed by unknown authority` #368

Closed jiajiawang closed 1 year ago

jiajiawang commented 1 year ago

I'm trying to use buildkite-agent within docker containers. Turned on mount-buildkite-agent: true, but getting error

FATAL  Failed to change step: Put "https://agent.buildkite.com/v3/steps/.....": x509: certificate signed by unknown authority

Am I missing anything?

toote commented 1 year ago

@jiajiawang that is indeed very weird. I triple-checked that the certificate is indeed valid.

As far as I can speculate, there are two possible explanations to this issue: 1- your conatiner is in a network that uses a proxy or captive portal that is doing something weird with the connection to agent.buildkite.com needing to spoof the SSL certificate 2- your container is missing the root certificates for Amazon certificate chain, depending on the container configuration that may be solved by updating a package in the container itself (or starting off a newer base image)

Occam's razor would indicate the latter is a simpler explanation. If you let us know what image you are starting your container off of, we might be able to further assist you (despite the issue not being related to this plugin)

jiajiawang commented 1 year ago

@toote Thanks for your info, it's really helpful. It's indeed something to do with the base image. The issued image I'm currently using is public.ecr.aws/docker/library/node:16-buster-slim. Once I changed it to public.ecr.aws/docker/library/node:16, the issue is gone. Apparently something that's missing from the slim image are required when connect to agent.buildkite.com.

jiajiawang commented 1 year ago

OK, It's ca-certificates which isn't installed by default on the slim image.