search

runfinch / finch

The Finch CLI is an open source client for container development
https://www.runfinch.com
Apache License 2.0
3.49k stars 90 forks source link

cannot download images when going through company ssl inspection proxy #730

Open aavileli opened 8 months ago

aavileli commented 8 months ago

ISSUE Cannot download images when going through company SSL inspection proxy

Install netskope or zscaler clients on users machine and execute the following command

finch run --rm amazoncorretto:11 -- java -version

ERROR 

docker.io/library/amazoncorretto:11: resolving      |--------------------------------------|
elapsed: 0.1 s                       total:   0.0 B (0.0 B/s)
INFO[0000] trying next host                              error="failed to do request: Head \"https://registry-1.docker.io/v2/library/amazoncorretto/manifests/11\": tls: failed to verify certificate: x509: certificate signed by unknown authority" host=registry-1.docker.io
FATA[0000] failed to resolve reference "docker.io/library/amazoncorretto:11": failed to do request: Head "https://registry-1.docker.io/v2/library/amazoncorretto/manifests/11": tls: failed to verify certificate: x509: certificate signed by unknown authority

The host shell export variables also dont work SSL_CERT_FILE

The procedure I followed to resolve this issue is as follows.

  1. executed into lima vm 
    LIMA_HOME=/Applications/Finch/lima/data /Applications/Finch/lima/bin/limactl shell finch
  2. coping certficate chain from users home mounted folder to /etc/pki/ca-trust/source/anchors/
  3. updating the local ca store by executing 
    sudo update-ca-trust

The go struct for finch https://github.com/runfinch/finch/blob/main/pkg/config/config.go#L35-L57. does not have support for additional environment variables or certificate import

pendo324 commented 8 months ago

Seems like something we can fix by exposing Lima's ca-cert features. Tagged as enhancement

d-rmm commented 6 months ago

Ran into this as well. Also happens with podman, but the steps that @aavileli outlined to "resolve" work for both. Required finch vm stop and finch vm start also for it to take effect for me.

With Rancher Desktop's implementation however, I do not run into this.

nmofonseca commented 6 months ago

Just to let everyone know, the suggestion by @aavileli also works on windows, the only difference is you should use wsl cli to shel into the lima vm.

after that just place the certificates required under : /etc/pki/ca-trust/source/anchors/

Then as mentioned just run:

update-ca-trust

I didn't even needed to stop and start VM