can't upload file to google cloud storage in production

2
votes

I'm following this documentation to upload files to GCS. Setting Up Authentication for Server to Server Production Applications

It works in local but in production i get this error:

Post https://www.googleapis.com/upload/storage/v1/b/[bucket-name]/o?alt=json&prettyPrint=false&projection=full&uploadType=multipart: x509: failed to load system roots and no roots provided.

func UploadIMG(ctx *context.Context, file []byte, fileName string) error {
    storageClient, err := storage.NewClient(*ctx)
    if err != nil {
        log.Fatal(err)
    }
    w := storageClient.Bucket(bucketName).Object(fileName).NewWriter(*ctx)
    if _, err := w.Write(file); err != nil {return err}
    if err := w.Close(); err != nil {return err}

    oauthClient, err := google.DefaultClient(*ctx, cloudkms.CloudPlatformScope)
    if err != nil {
        log.Fatal(err)
    }

    kmsService, err := cloudkms.New(oauthClient)
    if err != nil {
        log.Fatal(err)
    }

    _ = kmsService

    return nil
}
3
gogoogle-cloud-storage

3 Answers

3
votes

Did you actually continue with the tutorial you linked, making sure you have the correct credentials?

The error itself is likely certificate related. When it tries to do the request, it looks for root certificates on the underlying system but can't find them or open them. On for example Ubuntu, they should be under /usr/share/ca-certificates and/or /etc/ssl/certs . Make sure you have your certificates with correct privileges in order to be able to do the request you want.

1
votes

as guys said in their answers, it's related to missing Certificate Authority in my dockerFile.

In my case, in alpine there is already a package utility called ca-certificates which comes with its preinstalled certs. Just needed to add the following command to my docker.

RUN apk --no-cache add ca-certificates
0
votes

For any google api's you will need a root CA of trust.

Not sure of your production environment, but if you are using Docker add this line to your Dockerfile:

COPY /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/

from, say a Linux build, you can see the order go will look to find the system root trust files:

https://golang.org/src/crypto/x509/root_linux.go

"/etc/ssl/certs/ca-certificates.crt",                // Debian/Ubuntu/Gentoo etc.
"/etc/pki/tls/certs/ca-bundle.crt",                  // Fedora/RHEL 6
"/etc/ssl/ca-bundle.pem",                            // OpenSUSE
"/etc/pki/tls/cacert.pem",                           // OpenELEC
"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", // CentOS/RHEL 7

If you do not have any of these directories in your production (linux) build, then go will have no system root trust, and you will get the error you are seeing.