Pack fails to download image from private repo with self-signed certificate during Analyze phase

[joshuawhite929]

Summary

When using a private registry with a self-signed certificate, pack fails when executing a build with the "publish" flag during the Analyze phase. Because this problem occurs during the Analyze phase, this appears to be a pack specific issue.

Self-signed certificates are already trusted by the OS (MacOS).

---

Reproduction

Steps

1. Execute a pack build using a private repository with a self-signed certificate with the publish flag:

pack build registry.mycompany.com/myusername/cncf-buildpack-test:yarn  --volume "${PWD}/bindings:/platform/bindings" --publish

Current behavior

Pack fails with the following message:

base: Pulling from paketobuildpacks/builder
Digest: sha256:2a2920c78710d2b8ce10906c6e0e6cc9f670fdeb85071a37c6ca0481cb79bf8c
Status: Image is up to date for paketobuildpacks/builder:base
===> DETECTING
6 of 10 buildpacks participating
paketo-buildpacks/ca-certificates 2.4.1
paketo-buildpacks/node-engine     0.8.0
paketo-buildpacks/yarn            0.4.1
paketo-buildpacks/yarn-install    0.4.0
paketo-buildpacks/node-module-bom 0.1.2
paketo-buildpacks/yarn-start      0.3.0
===> ANALYZING
ERROR: failed to get previous image: connect to repo store "registry.mycompany.com/myusername/cncf-buildpack-test:yarn": Get "https://registry.mycompany.com/v2/": x509: certificate signed by unknown authority

Expected behavior

Expected pack to reach out to private repository with a self-signed certificate successfully

---

Environment

MacOS

pack info

pack report
Pack:
Version: 0.21.1+git-e09e397.build-2823
OS/Arch: darwin/amd64

Default Lifecycle Version: 0.11.3

Supported Platform APIs: 0.3, 0.4, 0.5, 0.6

Config:
default-builder-image = "[REDACTED]"

docker info

docker info
Client:
Context: default
Debug Mode: false
Plugins:
buildx: Build with BuildKit (Docker Inc., v0.6.1-docker)
compose: Docker Compose (Docker Inc., v2.0.0-rc.1)
scan: Docker Scan (Docker Inc., v0.8.0)

Server:
Containers: 25
Running: 0
Paused: 0
Stopped: 25
Images: 107
Server Version: 20.10.8
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 1
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
Default Runtime: runc
Init Binary: docker-init
containerd version: e25210fe30a0a703442421b0f60afac609f950a3
runc version: v1.0.1-0-g4144b63
init version: de40ad0
Security Options:
seccomp
Profile: default
Kernel Version: 5.10.47-linuxkit
Operating System: Docker Desktop
OSType: linux
Architecture: x86_64
CPUs: 6
Total Memory: 5.805GiB
Name: docker-desktop
ID: SKKA:IL5Q:IKWP:IJME:UJQL:BNLT:JVZE:PL4F:FDBD:GLQP:GPP5:6OAG
Docker Root Dir: /var/lib/docker
Debug Mode: false
HTTP Proxy: http.docker.internal:3128
HTTPS Proxy: http.docker.internal:3128
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false

[joshuawhite929]

This seems like basic functionality. Is there a way to make this work today that’s not covered in the docs?

[jromero]

If I'm not mistaken, this is a limitation on there being no contractual way for a platform, such as pack, to inject self-signed certificates.

I don't know if there have been new findings but prior workarounds I'm aware of are to extend the builders. By creating a new image FROM <builder> you can install the certificates necessary (typically needing to run update-ca-certificates).

The addition of extensions should also help to fix this in the near future.

[jjbustamante]

Hi @joshuawhite929

There are multiples ways to do this, for example:

1. Bake it into the builder
2. Use SSL_CERT_DIR as described here
3. Use extensions to install certificates

Definitly this is something that needs to be documented, I am going to move this issue to the docs repo so we can fix it there