Corporate Proxy: x509: certificate signed by unknown authority

[matthiasguentert]

Hi, I am new to paketo and currently I am trying to follow the official howto guide for .Net Core

Unfortunately, when running pack build paketo-demo-app --builder paketobuildpacks/builder:basepack build paketo-demo-app --builder paketobuildpacks/builder:base I get the following error:

[...]
===> DETECTING
3 of 6 buildpacks participating
paketo-buildpacks/ca-certificates 2.3.2
paketo-buildpacks/go-dist         0.6.0
paketo-buildpacks/go-build        0.4.1
===> ANALYZING
Previous image with name "paketo-demo-app" not found
===> RESTORING
===> BUILDING

Paketo CA Certificates Buildpack 2.3.2
  https://github.com/paketo-buildpacks/ca-certificates
  Launch Helper: Contributing to layer
    Creating /layers/paketo-buildpacks_ca-certificates/helper/exec.d/ca-certificates-helper
Paketo Go Distribution Buildpack 0.6.0
  Resolving Go version
    Candidate version sources (in priority order):
      <unknown> -> ""

    Selected Go version (using <unknown>): 1.16.7

  Executing build process
    Installing Go 1.16.7
failed to fetch dependency: failed to make request: Get "https://buildpacks.cloudfoundry.org/dependencies/go/go_1.16.7_linux_x64_cflinuxfs3_8a3a18cd.tgz": x509: certificate signed by unknown authority
ERROR: failed to build: exit status 1
ERROR: failed to build: executing lifecycle: failed with status code: 51

I am behind a corporate proxy and I guess its HTTPs interception breaks the chain of trust.

Please note, that pack (resp. docker) was able to download the base image. Also my http_proxy and https_proxy environment variables are set correctly.

1. Is there a way I can manually download the buildpacks? If so, where should they be stored? (Windows 10)
2. How can I add my corporate certificates so that the validation doesn't fail?

Thanks in advance!

[dmikusa]

Is there a way I can manually download the buildpacks? If so, where should they be stored? (Windows 10)

It is not the buildpack that's failing to download, it is the dependency that the buildpack is trying to install. If you would rather it pull them from somewhere else, you can use https://paketo.io/docs/reference/configuration/#dependency-mappings and point individual dependencies to a server that is on your LAN or accessible without going through the proxy.

Some Paketo buildpacks also support a file:// URL, so you can mount a volume with your dependencies and add a dependency mapping that points to the mounted volume. I do not know if the one you're using supports that though.

How can I add my corporate certificates so that the validation doesn't fail?

You need to pass the CA certificate that your company is using to rewrite & sign certificates into the buildpacks.

See https://paketo.io/docs/reference/configuration/#ca-certificates.