I recently ran into an issue while trying to build the DefectDojo Docker images due to being behind a corporate ZScaler Proxy. The issue is that the default DOcker images don't trust the ZScaler CA and therefore will fail any HTTPS interactions during the build process.

There are MANY articles, posts, and documentation pages that explain this whole process but for my purposes, I did not find a consolidated place with everyting that I specifically needed to do. So here is what worked for me so that I can reference it later.

This is specifically for Mac, but other than retrieving the ZScaler certificate, the rest of the process should be the same.

Get ZScaler Cert

1. Open Keychain > Sytem
2. Right click ZScaler Root CA > Export "ZScaler Root CA"...
3. Select File Format PEM
4. Save the file somewhere handy (common location, project repo directory, etc.)

Debian

For Debian based containers, just follow Docker's documentation – easy enough.

COPY zscaler-root-ca.crt /usr/local/share/ca-certificates/zscaler-root-ca.crt
RUN apt-get update && \
    apt-get install -y ca-certificates && \
    update-ca-certificates

Alpine

Alpine was a little harder as I could not find any official documentation. Several StackOverflow questions later, this is what eventually worked for me.

COPY zscaler-root-ca.crt /usr/local/share/ca-certificates/
RUN cat /usr/local/share/ca-certificates/zscaler-root-ca.crt >> /etc/ssl/certs/ca-certificates.crt
RUN apk --no-cache add ca-certificates \
    && rm -rf /var/cache/apk/*
RUN update-ca-certificates