2019-04-11 13:28
浏览 95


I'm following this documentation to upload files to GCS. Setting Up Authentication for Server to Server Production Applications

It works in local but in production i get this error:

Post https://www.googleapis.com/upload/storage/v1/b/[bucket-name]/o?alt=json&prettyPrint=false&projection=full&uploadType=multipart: x509: failed to load system roots and no roots provided.

func UploadIMG(ctx *context.Context, file []byte, fileName string) error {
    storageClient, err := storage.NewClient(*ctx)
    if err != nil {
    w := storageClient.Bucket(bucketName).Object(fileName).NewWriter(*ctx)
    if _, err := w.Write(file); err != nil {return err}
    if err := w.Close(); err != nil {return err}

    oauthClient, err := google.DefaultClient(*ctx, cloudkms.CloudPlatformScope)
    if err != nil {

    kmsService, err := cloudkms.New(oauthClient)
    if err != nil {

    _ = kmsService

    return nil
  • 写回答
  • 关注问题
  • 收藏
  • 邀请回答

3条回答 默认 最新

  • dongshuohuan5291 2019-04-14 13:17

    as guys said in their answers, it's related to missing Certificate Authority in my dockerFile.

    In my case, in alpine there is already a package utility called ca-certificates which comes with its preinstalled certs. Just needed to add the following command to my docker.

    RUN apk --no-cache add ca-certificates
    打赏 评论
  • dongyu3659 2019-04-11 13:44

    Did you actually continue with the tutorial you linked, making sure you have the correct credentials?

    The error itself is likely certificate related. When it tries to do the request, it looks for root certificates on the underlying system but can't find them or open them. On for example Ubuntu, they should be under /usr/share/ca-certificates and/or /etc/ssl/certs . Make sure you have your certificates with correct privileges in order to be able to do the request you want.

    打赏 评论
  • dongpai6552 2019-04-11 14:27

    For any google api's you will need a root CA of trust.

    Not sure of your production environment, but if you are using Docker add this line to your Dockerfile:

    COPY /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/

    from, say a Linux build, you can see the order go will look to find the system root trust files:


    "/etc/ssl/certs/ca-certificates.crt",                // Debian/Ubuntu/Gentoo etc.
    "/etc/pki/tls/certs/ca-bundle.crt",                  // Fedora/RHEL 6
    "/etc/ssl/ca-bundle.pem",                            // OpenSUSE
    "/etc/pki/tls/cacert.pem",                           // OpenELEC
    "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", // CentOS/RHEL 7

    If you do not have any of these directories in your production (linux) build, then go will have no system root trust, and you will get the error you are seeing.

    打赏 评论

相关推荐 更多相似问题