Even when the host and Docker daemon are configured, container images do not automatically trust the enterprise proxy.
Ensure Docker BuildKit is enabled for image builds.
During the initial phase of the Docker build:
Temporarily make the proxy root CA available inside the build container
Update the container’s certificate trust store before running any commands that access external repositories
Perform all package installation steps only after the trust store has been updated.
Example (Dockerfile build-time trust bootstrap):
# syntax=docker/dockerfile:1
FROM ubuntu:22.04
# Set proxy arguments for the build environment
ARG HTTP_PROXY=[http://10.0.0.1:8080](http://10.0.0.1:8080)
ARG HTTPS_PROXY=[http://10.0.0.1:8080](http://10.0.0.1:8080)
ENV http_proxy=$HTTP_PROXY
ENV https_proxy=$HTTPS_PROXY
# 1. THE BOOTSTRAP PHASE
# We mount the proxy-ca.crt from the build context into the container's
# certificate drop-in directory just for the duration of this RUN command.
RUN --mount=type=bind,source=proxy-ca.crt,target=/usr/local/share/ca-certificates/proxy-ca.crt \
apt-get update && \
apt-get install -y --no-install-recommends ca-certificates && \
update-ca-certificates
# 2. THE REST OF THE BUILD
# Now that 'update-ca-certificates' has run inside the container,
# all subsequent commands will trust the proxy natively.
RUN apt-get install -y python3 pip git
# (Optional) Remove proxy variables for the final runtime if not needed
# ENV http_proxy=
# ENV https_proxy=