Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Investigate why TestConfigServerExclusiveRootPools is broken on Windows / MacOS builds #105

Open
akerouanton opened this issue Oct 30, 2023 · 0 comments
Open

Investigate why TestConfigServerExclusiveRootPools is broken on Windows / MacOS builds #105

akerouanton opened this issue Oct 30, 2023 · 0 comments

Comments

@akerouanton
Copy link
Member

akerouanton commented Oct 30, 2023
edited

  • Related to Fix CI & tests #104
  • TestConfigServerExclusiveRootPools: see

    go-connections/tlsconfig/config_test.go

    Lines 202 to 205 in 5cc4da5

    if runtime.GOOS == "windows" || runtime.GOOS == "darwin" {
    // FIXME: see https://github.com/docker/go-connections/issues/105.
    t.Skip("FIXME: failing on Windows and darwin")
    }
  • TestConfigClientExclusiveRootPools: see

    go-connections/tlsconfig/config_test.go

    Lines 566 to 569 in 5cc4da5

    if runtime.GOOS == "windows" || runtime.GOOS == "darwin" {
    // FIXME: see https://github.com/docker/go-connections/issues/105.
    t.Skip("FIXME: failing on Windows and darwin")
    }

Both tests break with the following error:

Unable to verify certificate 1: x509: certificate signed by unknown authority

certificate 1 being systemRootTrustedCert:

go-connections/tlsconfig/config_test.go

Lines 20 to 41 in 5cc4da5

systemRootTrustedCert = `
-----BEGIN CERTIFICATE-----
MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF
ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6
b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTEL
MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv
b3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXj
ca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM
9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qw
IFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6
VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L
93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQm
jgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3DQEBCwUA
A4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDI
U5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUs
N+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vv
o/ufQJVtMVT8QtPHRh8jrdkPSHCa2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU
5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2xJNDd2ZhwLnoQdeXeGADbkpy
rqXRfboQnoZsG4q5WTP468SQvvG5
-----END CERTIFICATE-----
`

As noted in d5807de commit message:

The (*Certificate).Verify() method from crypto/x509 special-case
windows, darwin and ios GOOS to use a OS-specific verification process.
This process seems to consider root CAs as invalid for some unknown
reasons.

So either the syscall made by Verify() to retrieve the system-wide cert bundle return an empty set, it's out-of-date, or something else happen.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@akerouanton