[BUG] tls: failed to verify certificate: x509: certificate signed by unknown authority

[ricardogama]

While building a Docker image based on ubuntu:jammy, the request to register the metered key fails with a TLS error:

url.Error=Post \"https://cloud.unidoc.io/api/metered/status\": tls: failed to verify certificate: x509: certificate signed by unknown authority)"

The Dockerfile is pretty simple, installing CA certificates via apt install ca-certificates:

FROM ubuntu:jammy AS base

RUN apt update \
    && apt install -y --no-install-recommends \
    ca-certificates

Since the code is obfuscated it's very hard to debug the issue, any help is pretty welcome :)

[github-actions]

Welcome! Thanks for posting your first issue. The way things work here is that while customer issues are prioritized, other issues go into our backlog where they are assessed and fitted into the roadmap when suitable. If you need to get this done, consider buying a license which also enables you to use it in your commercial products. More information can be found on https://unidoc.io/

[sampila]

Hi @ricardogama,

Do you build the unipdf inside the docker? probably can help us to replicate this issue or share the Dockerfile?

Best regards

[ricardogama]

@sampila Sure, this will illustrate the problem:

main.go

package main

import (
	"fmt"
	"os"

	"github.com/unidoc/unipdf/v3/common/license"
)

func main() {
	if err := license.SetMeteredKey(os.Getenv("UNIDOC_KEY")); err != nil {
		panic(err)
	}

	fmt.Println("ok")
}

Dockerfile

FROM golang:1.21.1

WORKDIR /src

RUN apt update \
    && apt install -y --no-install-recommends \
    ca-certificates

ADD . /src

RUN go build main.go

ENV UNIDOC_KEY foobar

CMD ["/src/main"]

Build the image:

▶ docker build --progress=plain -t builder .

Run the image:

▶ docker run builder
panic: Post "https://cloud.unidoc.io/api/metered/status": tls: failed to verify certificate: x509: certificate signed by unknown authority

goroutine 1 [running]:
main.main()
	/src/main.go:12 +0x84

[sampila]

Thanks, we will check this issue

[sampila]

Hi @ricardogama,

We tried to build several times, but couldn't reproduce the issue, here's what we got

docker run builder                        
{OK:true Credits:110 Used:11}
ok

The Dockerfile

FROM golang:1.21.1

WORKDIR /src

RUN apt update \
    && apt install -y --no-install-recommends \
    ca-certificates

ADD . /src

RUN go build main.go

ENV UNIDOC_KEY "you_api_key"

CMD ["/src/main"]

Our main.go

package main

import (
	"fmt"
	"os"

	"github.com/unidoc/unipdf/v3/common/license"
)

func main() {
	if err := license.SetMeteredKey(os.Getenv("UNIDOC_KEY")); err != nil {
		panic(err)
	}

	state, err := license.GetMeteredState()
	if err != nil {
		panic(err)
	}

	fmt.Printf("%+v\n", state)
	fmt.Println("ok")
}

[sampila]

Looks like the issue is because the ca-certificates not being added into docker image.

[ricardogama]

Strange you couldn't reproduce with the exact same Dockerfile, but I found a fix in the meanwhile.

The workaround is to manually add the certificate to the image, something like this:

FROM golang:1.21.1

WORKDIR /src

RUN apt update \
    && apt install -y --no-install-recommends \
    ca-certificates openssl

RUN openssl s_client -showcerts -connect cloud.unidoc.io:443 </dev/null 2>/dev/null | openssl x509 -outform PEM > unidoc.pem \
    && cp unidoc.pem /usr/local/share/ca-certificates/unidoc.crt \
    && update-ca-certificates --fresh

ADD . /src

RUN go build main.go

ENV UNIDOC_KEY foobar

CMD ["/src/main"]

Maybe it will help someone in the future, thanks for your time!

[sampila]

Hi @ricardogama, yes pretty strang.

Thank you for the solution that you are providing.