RequestError (x509: certificate signed by unknown authority) on attaching workspace when using a certain job image

I’ve got a reproducible build failure when a particular off-the-shelf Docker image is specified for a job in config.yml. The image, kcov/kcov:latest, is downloaded successfully in the setup phase, and I can also download it locally without problems. However, the attach_workspace step fails with an error:

Error downloading workspace layer for job a491b12f-1e3d-41f6-9568-4460eecf7f8d: RequestError: send request failed caused by: Get x509: certificate signed by unknown authority

Replacing the job image with ragnaroek/kcov:v33 makes the problem go away.

It looks like a manifestation of a known problem:

An odd thing here is that CircleCI has to rely on in-container environment to download the workspace. Why can’t it be done completely outside of any customer’s container images via Docker volumes, so that any off-the-shelf container image can be combined with a workspace, regardless of whether it has the necessary CA certificates provisioned?

1 Like