finch icon indicating copy to clipboard operation
finch copied to clipboard

Published 20 hours ago verified publisher icon runfinch

cannot download images when going through company ssl inspection proxy

Open aavileli opened this issue 1 year ago • 3 comments

** ISSUE ** Cannot download images when going through company SSL inspection proxy

Install netskope or zscaler clients on users machine and execute the following command

finch run --rm amazoncorretto:11 -- java -version

** ERROR **

docker.io/library/amazoncorretto:11: resolving      |--------------------------------------|
elapsed: 0.1 s                       total:   0.0 B (0.0 B/s)
INFO[0000] trying next host                              error="failed to do request: Head \"https://registry-1.docker.io/v2/library/amazoncorretto/manifests/11\": tls: failed to verify certificate: x509: certificate signed by unknown authority" host=registry-1.docker.io
FATA[0000] failed to resolve reference "docker.io/library/amazoncorretto:11": failed to do request: Head "https://registry-1.docker.io/v2/library/amazoncorretto/manifests/11": tls: failed to verify certificate: x509: certificate signed by unknown authority

The host shell export variables also dont work SSL_CERT_FILE

The procedure I followed to resolve this issue is as follows.

  1. executed into lima vm
LIMA_HOME=/Applications/Finch/lima/data /Applications/Finch/lima/bin/limactl shell finch
  1. coping certficate chain from users home mounted folder to /etc/pki/ca-trust/source/anchors/
  2. updating the local ca store by executing
sudo update-ca-trust

The go struct for finch https://github.com/runfinch/finch/blob/main/pkg/config/config.go#L35-L57. does not have support for additional environment variables or certificate import

aavileli avatar Dec 11 '23 02:12 aavileli

Seems like something we can fix by exposing Lima's ca-cert features. Tagged as enhancement

pendo324 avatar Dec 16 '23 00:12 pendo324

Ran into this as well. Also happens with podman, but the steps that @aavileli outlined to "resolve" work for both. Required finch vm stop and finch vm start also for it to take effect for me.

With Rancher Desktop's implementation however, I do not run into this.

d-rmm avatar Feb 09 '24 17:02 d-rmm

Just to let everyone know, the suggestion by @aavileli also works on windows, the only difference is you should use wsl cli to shel into the lima vm.

after that just place the certificates required under : /etc/pki/ca-trust/source/anchors/

Then as mentioned just run:

update-ca-trust

I didn't even needed to stop and start VM

nmofonseca avatar Feb 13 '24 11:02 nmofonseca