Getting root CA cert for Certificate generated by docker image

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: certbot-auto certonly -d -n --preferred-challenges dns --manual-auth-hook /etc/scripts/ --agree-tos -m --manual --manual-public-ip-logging-ok --server

It produced this output:

I received the certificates as expected:

  • fullchain.pem
  • chain.pem
  • cert.pem
  • privkey.pem

My web server is (include version):

local apis in docker

The operating system my web server runs on is (include version):
docker: Alpine/Scratch

My hosting provider, if applicable, is: None. Local Docker environment

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NO

When i installed the same in an alpine/scratch image, and tried to make a call to the https service, the error i received was

TLS handshake error from remote error: tls: unknown certificate authority

Need to know how can i make the certificate authority trusted by the server as well as client

Certbot's behavior differed from what I expected because:

The certificates installed were not trusted by the server/client. Expected was that the certificate authority would be trusted or at least Root CA certificate would be available...

My major concern is that i want to establish local environment with https support in a local docker image setup...


What’s the CAfiles version on the troubled client?

That client might have outdated CA certs.

Thank you

Its solved now…

The problem was that I was using certbot with LetsEncrypt Boulder on Docker.

The docker image was built on certificates that are used for testing purposes…basically it was needed to import those certificates as CA certs…thus the reason that the CA authority was unknown

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.