New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Verify failedx509: certificate signed by unknown authority #17

Open
bharatkrishna opened this Issue Feb 25, 2016 · 9 comments

Comments

Projects
None yet
8 participants
@bharatkrishna

I generated self-signed cert using openssl as given in this doc.

I use this to start the server:

./server -cert=server.crt -key=server.key

When I run the client I get an error:

[0224/165329:VERBOSE1:quic_crypto_client_stream.cc(413)] Reasons for rejection: 2048
2016/02/24 16:53:29 Verify failedx509: certificate signed by unknown authority

How do I make the client request work?

@gripedthumbtacks

This comment has been minimized.

Show comment
Hide comment
@gripedthumbtacks

gripedthumbtacks Mar 4, 2016

You need to either install the CA authority certificate in your local client bundle, or implement a new option for goquic that ignores broken certificates. But honestly, there is no reason to generate broken CA certificates now that let's encrypt provides free HTTPS certs to the planet.

https://letsencrypt.org/

You need to either install the CA authority certificate in your local client bundle, or implement a new option for goquic that ignores broken certificates. But honestly, there is no reason to generate broken CA certificates now that let's encrypt provides free HTTPS certs to the planet.

https://letsencrypt.org/

@gripedthumbtacks

This comment has been minimized.

Show comment
Hide comment
@gripedthumbtacks

gripedthumbtacks Mar 7, 2016

@bharatkrishna if that works for you go ahead and close this issue for the devs, thanks!

@bharatkrishna if that works for you go ahead and close this issue for the devs, thanks!

@vyrus001

This comment has been minimized.

Show comment
Hide comment
@vyrus001

vyrus001 May 9, 2016

what about local testing? so i have to spin this up on a public domain and use letsencrypt to even run the server and client out of the gate?

vyrus001 commented May 9, 2016

what about local testing? so i have to spin this up on a public domain and use letsencrypt to even run the server and client out of the gate?

@serialx

This comment has been minimized.

Show comment
Hide comment
@serialx

serialx May 9, 2016

Member

@vyrus001 You can always add a self-signed CA to the system for doing the testing. Or you can add InsecureSkipVerify option to the tls.Config.

Member

serialx commented May 9, 2016

@vyrus001 You can always add a self-signed CA to the system for doing the testing. Or you can add InsecureSkipVerify option to the tls.Config.

@hodduc

This comment has been minimized.

Show comment
Hide comment
@hodduc

hodduc May 9, 2016

Member

For local testing, you can generate a self-signed certificate/key pair and add to your OS's certificate store. Detail instructions are here.

You can use chrome's --host-resolver-rules option, or /etc/hosts trick, to use fake domain.

Member

hodduc commented May 9, 2016

For local testing, you can generate a self-signed certificate/key pair and add to your OS's certificate store. Detail instructions are here.

You can use chrome's --host-resolver-rules option, or /etc/hosts trick, to use fake domain.

@vyrus001

This comment has been minimized.

Show comment
Hide comment
@vyrus001

vyrus001 May 9, 2016

Ahh, i missed the part where the client checks the OS's cert store, thanks!

vyrus001 commented May 9, 2016

Ahh, i missed the part where the client checks the OS's cert store, thanks!

@opaul

This comment has been minimized.

Show comment
Hide comment
@opaul

opaul May 15, 2016

I created certificate and key files for quic_client & quic_server project from Chromius.( by using generate_certs.sh, CA root certificate was added into OS's root certificate store ). This pair was used succesfully. But I can't use they with goquic project because already have Verify failedx509: certificate signed by unknown authority. Where is my mistake? Thanks

opaul commented May 15, 2016

I created certificate and key files for quic_client & quic_server project from Chromius.( by using generate_certs.sh, CA root certificate was added into OS's root certificate store ). This pair was used succesfully. But I can't use they with goquic project because already have Verify failedx509: certificate signed by unknown authority. Where is my mistake? Thanks

@daiminglong

This comment has been minimized.

Show comment
Hide comment
@daiminglong

daiminglong Oct 21, 2016

Hi, how can I add a InsecureSkipVerify option to the tls.Config. Would you please give me more details, Thanks!

Hi, how can I add a InsecureSkipVerify option to the tls.Config. Would you please give me more details, Thanks!

@y123456yz

This comment has been minimized.

Show comment
Hide comment
@y123456yz

y123456yz May 9, 2017

I have the same problem

I have the same problem

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment