We use a docker container to build our code.
Usually when I am connected to my company’s VPN, running any command that tries to download dependencies from web (say github) fails with error "certificate signed by unknown authority" as below:
go: github.com/BurntSushi/[email protected]: Get "https://proxy.golang.org/github.com/%21burnt%21sushi/toml/@v/v0.4.1.mod": x509: certificate signed by unknown authority
If I disconnect from company VPN, same command goes through and build succeeds. What exactly is going on here?
Thanks,
3
Answers
Your company is probably eavesdropping on you by doing a MITM.
You’ll have to install their certificate on your machine or you can also try using the
GOINSECURE
environment variable.Either way it’s probably a good idea to talk to your network administrator.
Unless it interfere with your company logic, it’s also possible to connect to your company’s VPN without channging your default gateway.
That way only the traffic to your VPN network will be routed via the VPN and all other traffic won’t.
It is common for IT departments at companies to implement an SSL firewall filter, to block employees from browsing to malicious sites, and therefore to reduce the potential for malware within the network. See the
Corporate Proxy Root Certificates
section of my blog post and compare to your own environment. Alternatively it could be the VPN software thad does this.WHITELISTS
Benign sites can usually be whitelisted in this type of software, to enable computers to make a direct connection to trusted external sites. That is the preferred option if you can get the people agreement, though it may depend on threats such as malicious GitHub repos.
CONFIGURING DEVELOPMENT TRUST
My blog post shows how to configure trust for various operating systems and tech stacks. Eg for a Docker container you can do what my Dockerfile does, to trust a root certification authority using the standard Linux commands.
My main reason for configuring SSL trust during development is to use an HTTP Proxy tool with local SSL connections, so that I can view HTTP messages and properly verify behavior, as part of designing secure production deployments. I also work a lot with OAuth tech, which often requires SSL. Proxy tools also replace the root CA of remote sites in an equivalent way, so a working setup needs to trust the proxy tool’s root CA.
You should not do this type of thing for Docker images that will be used in production of course, though it can be useful and educational during local testing.
PRIVATE PKI LEARNING
Out of interest I sometimes also use a self-signed root CA as a certmanager cluster issuer, when putting Kubernetes systems together. That is the root CA I use in the above Dockerfile, and enables me to then autocreate a trusted SSL cert whenever a pod is deployed.