Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cannot download images when going through company ssl inspection proxy #730

Open
aavileli opened this issue Dec 11, 2023 · 3 comments
Open

cannot download images when going through company ssl inspection proxy #730

aavileli opened this issue Dec 11, 2023 · 3 comments
Labels
bug Something isn't working enhancement New feature or request good first issue Good for newcomers

Comments

@aavileli
Copy link

aavileli commented Dec 11, 2023
edited
Loading

** ISSUE **
Cannot download images when going through company SSL inspection proxy

Install netskope or zscaler clients on users machine and execute the following command

finch run --rm amazoncorretto:11 -- java -version

** ERROR **

docker.io/library/amazoncorretto:11: resolving      |--------------------------------------|
elapsed: 0.1 s                       total:   0.0 B (0.0 B/s)
INFO[0000] trying next host                              error="failed to do request: Head \"https://registry-1.docker.io/v2/library/amazoncorretto/manifests/11\": tls: failed to verify certificate: x509: certificate signed by unknown authority" host=registry-1.docker.io
FATA[0000] failed to resolve reference "docker.io/library/amazoncorretto:11": failed to do request: Head "https://registry-1.docker.io/v2/library/amazoncorretto/manifests/11": tls: failed to verify certificate: x509: certificate signed by unknown authority

The host shell export variables also dont work
SSL_CERT_FILE

The procedure I followed to resolve this issue is as follows.

  1. executed into lima vm
LIMA_HOME=/Applications/Finch/lima/data /Applications/Finch/lima/bin/limactl shell finch
  1. coping certficate chain from users home mounted folder to /etc/pki/ca-trust/source/anchors/
  2. updating the local ca store by executing
sudo update-ca-trust

The go struct for finch https://github.com/runfinch/finch/blob/main/pkg/config/config.go#L35-L57. does not have support for additional environment variables or certificate import
@aavileli aavileli added the bug Something isn't working label Dec 11, 2023
@pendo324 pendo324 added the enhancement New feature or request label Dec 16, 2023
@pendo324
Copy link
Member

Seems like something we can fix by exposing Lima's ca-cert features. Tagged as enhancement

@pendo324 pendo324 added the good first issue Good for newcomers label Dec 16, 2023
@d-rmm
Copy link

d-rmm commented Feb 9, 2024
edited
Loading

Ran into this as well. Also happens with podman, but the steps that @aavileli outlined to "resolve" work for both. Required finch vm stop and finch vm start also for it to take effect for me.

With Rancher Desktop's implementation however, I do not run into this.

@nmofonseca
Copy link

nmofonseca commented Feb 13, 2024
edited
Loading

Just to let everyone know, the suggestion by @aavileli also works on windows, the only difference is you should use wsl cli to shel into the lima vm.

after that just place the certificates required under : /etc/pki/ca-trust/source/anchors/

Then as mentioned just run:

update-ca-trust

I didn't even needed to stop and start VM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working enhancement New feature or request good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@pendo324 @aavileli @nmofonseca @d-rmm