tls: failed to verify certificate: x509: certificate signed by unknown authority

[mafeifan]

I want to run npm build and /kaniko/executor command in one pipeline job, so I create a docker image based on kaniko, but it failed

Actual behavior error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for "https://gitlab-runner-xxxxxxxx.aliyuncs.com/v2//service-platform/sp-web:e55e7476-dev": creating push check transport for gitlab-runner-acr-share-sh-al1-registry.cn-shanghai.cr.aliyuncs.com failed: Get "https://gitlab-runner-xxxxxxxx.aliyuncs.com/v2/": tls: failed to verify certificate: x509: certificate signed by unknown authority

To Reproduce Steps to reproduce the behavior:

create docker image, build kaniko with nodejs20, named node:20-slim-kaniko-debug

• Dockerfile

FROM public.ecr.aws/docker/library/node:20.16-slim

COPY --from=gcr.io/kaniko-project/executor:v1.23.2-debug /kaniko/ /kaniko/

RUN node -v && /kaniko/executor version

CMD ["/bin/bash"]

use the image in .gitlab-ci.yml pipeline

build-with-kaniko:
  stage: build
  when: manual
  image: 
    name: $ACR_REPO_GITLAB_URL/cndevops/node:20-slim-kaniko-debug
    entrypoint: [""]
  script:
    - ls -la /kaniko
    - cat $DOCKER_CONFIG_FILE > /kaniko/.docker/config.json
    - /kaniko/executor
      --context "${CI_PROJECT_DIR}"
      --dockerfile "${CI_PROJECT_DIR}/Dockerfile"
      --destination "${ACR_REPO_URL}:${ACR_REPO_TAG}"
      --snapshot-mode=redo
      --use-new-run

[mafeifan]

I update dockerfile and fixed the error

FROM public.ecr.aws/docker/library/node:20.16-slim

LABEL author="[email protected]"

### Fix error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for
### "xxxxxxx.cn-shanghai.cr.aliyuncs.com/cndevops/runner-aliyun-demo:b7b163db": 
### creating push check transport for xxxxxxx.cn-shanghai.cr.aliyuncs.com failed: Get "https://xxxxxxx.cn-shanghai.cr.aliyuncs.com/v2/": 
### tls: failed to verify certificate: x509: certificate signed by unknown authority
RUN apt-get update && apt-get install -y \
    curl \
    ca-certificates \
    && rm -rf /var/lib/apt/lists/*

COPY --from=gcr.io/kaniko-project/executor:v1.23.2-debug /kaniko/executor /kaniko/executor

RUN mkdir /kaniko/.docker 

RUN node -v && /kaniko/executor version

CMD ["/bin/bash"]

[mafeifan]

very strange, it's not success everytime, some times it report UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:kone-service-platform/sp-web Type:repository] map[Action:push Class: Name:kone-service-platform/sp-web Type:repository]]

[danielyaba]

I am using a custom Dockerfile

FROM gcr.io/kaniko-project/executor:v1.23.2-debug
COPY custom-ca-certificates.crt /kaniko/ssl/certs/custom-ca-certificates.crt

In the GitLab CI pipeline I get this error: cat: can't open '/kaniko/ssl/certs/custom-ca-certificates.crt': No such file or directory

This is the pipeline stage:

docker_build_and_push:
  stage: docker_build_and_push
  image: 
    name: $REGION-docker.pkg.dev/$PROJECT_ID/docker-images/kaniko-executor:v1.23.2-debug
    entrypoint: [""]
  before_script:
    - mkdir -p /kaniko/.docker
    - cp ${GOOGLE_APPLICATION_CREDENTIALS} /kaniko/.docker/config.json
  script:
    - cat /kaniko/ssl/certs/custom-ca-certificates.crt >> /kaniko/ssl/certs/ca-certificates.crt
    - /kaniko/executor
      --context "${CI_PROJECT_DIR}"
      --dockerfile "${CI_PROJECT_DIR}/packages/backend/Dockerfile"
      --destination "${IMAGE_NAME}:${IMAGE_TAG}"
  dependencies: 
    - yarn_build
    - gcp_docker_login

Becuase the certificate doesn't exist in the trust store Kaniko isn't able to pull images from the internet