I am having pretty much the same issue as #2193. However the solution listed there is having no improvement. It seems like my ca cert bundle just isn't getting into the build environment for use by Paketo Buildpack.
I start with:
$ func create -l python -t http foo
$ cd foo
Then the build:
$ func build -v --builder pack --registry whatever.com/foo
<skip>
Preparing paths
Running build command
Paketo Buildpack for CA Certificates 3.12.2
https://github.com/paketo-buildpacks/ca-certificates
Build Configuration:
$BP_EMBED_CERTS false Embed certificates into the image
$BP_ENABLE_RUNTIME_CERT_BINDING true Deprecated: Enable/disable certificate helper layer to add certs at runtime
$BP_RUNTIME_CERT_BINDING_DISABLED false Disable certificate helper layer to add certs at runtime
Launch Helper: Contributing to layer
Creating /layers/paketo-buildpacks_ca-certificates/helper/exec.d/ca-certificates-helper
Processing layers
Updating environment
Reading output files
Updating buildpack processes
Updating process list
Finished running build for buildpack paketo-buildpacks/ca-certificates@3.12.2
Running build for buildpack paketo-buildpacks/cpython@1.18.25
Looking up buildpack
Finding plan
Creating plan directory
Preparing paths
Running build command
Paketo Buildpack for CPython 1.18.25
Resolving CPython version
Candidate version sources (in priority order):
pyproject.toml -> ">=3.10"
-> ""
<unknown> -> ""
Selected CPython version (using pyproject.toml): 3.14.4
Executing build process
Installing CPython 3.14.4
failed to fetch dependency: failed to make request: Get "https://artifacts.paketo.io/python/python_3.14.4_linux_amd64_jammy_010bec17.tgz": tls: failed to verify certificate: x509: certificate signed by unknown authority
Timer: Builder ran for 157.483792ms and ended at 2026-05-13T23:36:20Z
ERROR: failed to build: exit status 1
Error: failed to build the function: executing lifecycle: failed with status code: 51
I am confident that my issue is the lack of my employer's CA cert bundle, because I am able to reproduce the issue using a containerize curl of the same paketo URL:
$ podman run --rm curlimages/curl -L -v https://artifacts.paketo.io/python/python_3.14.4_linux_amd64_jammy_010bec17.tgz --output /dev/null
<skip>
curl: (60) SSL certificate OpenSSL verify result: self-signed certificate in certificate chain (19)
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.
I also know that I have a good CA bundle, because I can map the bundle into the curl container as a volume file, and tell curl to us it with "--cafile /ca-certificates.crt", and curl is then indeed able to download the file.
Putting the ca-certificates.crt file in the top level of my func-created project directory, and adding the following to the func.yaml file did not help the problem. It does not seem to me that the file is being used.
build:
buildEnvs:
- name: SSL_CERT_DIR
value: /workspace
I am having pretty much the same issue as #2193. However the solution listed there is having no improvement. It seems like my ca cert bundle just isn't getting into the build environment for use by Paketo Buildpack.
I start with:
Then the build:
I am confident that my issue is the lack of my employer's CA cert bundle, because I am able to reproduce the issue using a containerize curl of the same paketo URL:
I also know that I have a good CA bundle, because I can map the bundle into the curl container as a volume file, and tell curl to us it with "--cafile /ca-certificates.crt", and curl is then indeed able to download the file.
Putting the ca-certificates.crt file in the top level of my func-created project directory, and adding the following to the func.yaml file did not help the problem. It does not seem to me that the file is being used.