Zscaler - buildx_buildkit_default - tls: failed to verify certificate

[stephannn]

Hi there,
I am trying to get podman on my company laptop working where we use Zscaler. The podman machines works fine after I copied the cert and updates the CA store (https://github.com/containers/podman/blob/main/docs/tutorials/podman-install-certificate-authority.md).

Now I would like to add cron to my postgres:

FROM postgres:latest

USER root

#COPY ./zscaler.pem /usr/local/share/ca-certificates/zscaler.pem

RUN apt-get update && apt-get install -y postgresql-17-cron && rm -rf /var/lib/apt/lists/*

USER postgres

RUN echo "shared_preload_libraries = 'pg_cron'" >> /var/lib/postgresql/data/postgresql.conf
RUN echo "cron.database_name = 'clientstatus'" >> /var/lib/postgresql/data/postgresql.conf

and this is where I get the error:
failed to solve: failed to compute cache key: failed to copy: httpReadSeeker: failed open: failed to do request: Get "https://docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com/registry-v2/docker/registry/v2/blobs/sha256/76/761152bb4395104b108877fa2d500c11c8e2e20d2746563f9e17f95edec63553/data?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=f1baa2dd9b876aeb89efebbfc9e5d5f4%2F20250721%2Fauto%2Fs3%2Faws4_request&X-Amz-Date=20250721T101147Z&X-Amz-Expires=1200&X-Amz-SignedHeaders=host&X-Amz-Signature=07d4f45a647820cc30ae86f744876988349eb0db4d28b2233d94a1c56f4e96e8": tls: failed to verify certificate: x509: certificate signed by unknown authority

as far as I can see it, the container for building the container, buildx_buildkit_default, is missing the cert, but I don't know how to add it. I tried copying it to /etc/ssl/certs but this did not change anything.

I also just found one discussion about it: #24786

Any help would be appreciated

Thanks
Stephan

Edit: It seems after I copied the pem and rebooted it worked. Don't know how to do it without the reboot. update-ca-trust does not exist

Edit2:

So what I had to do:

1. wsl --update
2. copy the pem cert to /etc/ssl/certs and reboot the buildx
3. create a .wslconfig in my User Profile of hanging build process with

[wsl2]
networkingMode=mirrored
dnsTunneling=true
autoProxy=true

[experimental]
hostAddressLoopback=true

[lstolcman]

What I use is something like this:

FROM postgres:latest

COPY ZScalerRootCert.crt /usr/local/share/ca-certificates/ZScalerRootCert.crt
RUN update-ca-certificates

The same goes with wsl2, you copy your zscaler root certificate to /usr/local/share/ca-certificates/ and update certificate store by update-ca-certificates

You need to have a cerificate in PEM format. Alternatively, you can use openssl to convert it to PEM: openssl x509 -in YourCert.crt -outform PEM -out YourCertPEM.crt

Note, above commands are for debian/ubuntu like. If you don't run ubuntu/debian, here is a nice extract between different operating sytems, ca-cert paths and update-ca commands.