Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

encoding/asn1: failed to parse certificate from server: asn1: syntax error: sequence truncated #12910

Closed
ghost opened this issue Oct 12, 2015 · 18 comments
Milestone

Comments

@ghost
Copy link

@ghost ghost commented Oct 12, 2015

Issue

I use two projects which are built with go: docker and gitlab-ci-runner.

Both products try to connect to an HTTPS-enabled webservice and fail. In one case it's the docker daemon in the other case it's a NGINX in front of gitlab. In both cases I get similar errors:

: tls: failed to parse certificate from server: asn1: syntax error: sequence truncated

Setup

Both webservices use a (different) certificate issued by an internal Sub-CA:

Root-CA
  Sub-CA
     Sub-CA
       Sub-CA
         Server-CRT

I tried the webservices to serve the full chain excluding the Root-CA.

  • Gitlab:

    Accessing gitlab with Firefox, Chromium, curl and openssl s_client works fine since I setup ca-trust correctly: The root CA certificate is stored at /etc/(pki|ca-certificates/trust-source/anchor + sudo update-ca-trust.

  • docker

    This only worked if I added a single CA to the server CRT. This would require to distribute the other Root-/Sub-CAs on quite a few machines where the docker client runs.

Expected behaviour

I expect both programs to support certificate chains including verification.

My role

From your perspective I'm a end-user of both products and NOT an developer/maintiner of those products.

Information about software products

docker

Client:
Version:      1.8.1
API version:  1.20
Go version:   go1.4.2
Git commit:   d12ea79
Built:        Thu Aug 13 02:19:43 UTC 2015
OS/Arch:      linux/amd64

Server:
Version:      1.8.1
API version:  1.20
Go version:   go1.4.2
Git commit:   d12ea79
Built:        Thu Aug 13 02:19:43 UTC 2015
OS/Arch:      linux/amd64

gitlab-ci-runner

I'm not sure, what go-version exactly was used to create the executable, but they use the docker image "golang:1.4" from the docker library.

Related issues

I opened an issue for the HTTPS-problem at golang as well @ayufan @cpuguy83

@rakyll
Copy link
Contributor

@rakyll rakyll commented Oct 12, 2015

Could you provide us a Go snippet that reproduces the bug? Given the fact that Go maintainers are not necessarily familiar with the other codebases you have cross linked to, It is hard to go through the other issues and being able to reproduce the case.

@ghost
Copy link
Author

@ghost ghost commented Oct 12, 2015

@rakyll Puh. I understand your request, but unfortunately I'm not a go-developer. Maybe @ayufan can help us here.

@ghost
Copy link
Author

@ghost ghost commented Oct 12, 2015

And I fear we/the developer needs to setup:

Client:

  • Requested Code Snippet

Server

  • some small HTTPS-webserver
  • SSL-Certificate Chain - relatively easy to setup with XCA

I can help with CA. To open the CA database the developer needs to download XCA and open/export the certificates from there. The given CA file contains 4 CAs and 2 server certificates. One is for server.example.com and the other is for *.example.com. I hope it's ok to add some binary file to that issue, but it's the most convient way to re-use my work.

You can find the files for the CA here. It's a data repository hosted with Github Pages. Unfortunately I was not able to add the files to this issue. The most relevant file is the ca.xdb-file. It contains the CA database.

screenshot

@rakyll rakyll changed the title failed to parse certificate from server: asn1: syntax error: sequence truncated encoding/asn1: failed to parse certificate from server: asn1: syntax error: sequence truncated Oct 12, 2015
@ghost
Copy link
Author

@ghost ghost commented Oct 12, 2015

Added link to the CA.

@ghost
Copy link
Author

@ghost ghost commented Oct 12, 2015

Setup apache (https://www.digitalocean.com/community/tutorials/how-to-create-a-ssl-certificate-on-apache-for-ubuntu-14-04):

Listen 443
<VirtualHost *:443>
    ServerName server.example.com
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/server.example.com.crt
    SSLCertificateKeyFile /etc/ssl/private/server.example.com.key
</VirtualHost>
@ghost
Copy link
Author

@ghost ghost commented Oct 14, 2015

Ok. @rakyll I prepared a docker image you can use if you like. It contains "just" the webservers "nginx" and "apache" setup with ssl. Please see https://github.com/fedux-org/centos-webservers for detailed instructions about how to use it.

docker pull feduxorg/centos-webservers
@ghost
Copy link
Author

@ghost ghost commented Oct 14, 2015

I put together "some kind" of a client via google and C&P. Unfortunately I cannot reproduce the issue with it. :-(

@ayufan Do you do something different in gitlab-ci-runner or use some other library?

package main

import (
  "crypto/tls"
  "crypto/x509"
  "log"
  "fmt"
  "net/http"
  "io/ioutil"
  "os"
    )
func main() {

  var caFile = "/etc/ca-certificates/trust-source/anchors/CA_Example_Com.crt"

  // Load CA cert
  caCert, err := ioutil.ReadFile(caFile)
  if err != nil {
    log.Fatal(err)
  }

  caCertPool := x509.NewCertPool()
  caCertPool.AppendCertsFromPEM(caCert)

  // Setup HTTPS client
  tlsConfig := &tls.Config{
    RootCAs:      caCertPool,
  }

  tlsConfig.BuildNameToCertificate()
  transport := &http.Transport{TLSClientConfig: tlsConfig}
  client := &http.Client{Transport: transport}

  response, err := client.Get("https://localhost:8443/")
  if err != nil {
    fmt.Printf("%s", err)
    os.Exit(1)
  } else {
    defer response.Body.Close()
    contents, err := ioutil.ReadAll(response.Body)
    if err != nil {
      fmt.Printf("%s", err)
      os.Exit(1)
    }
    fmt.Printf("%s\n", string(contents))
  }
}
@rsc
Copy link
Contributor

@rsc rsc commented Oct 23, 2015

Can you post the certificate somewhere we can look at it? If you can't post it, can you email it to me (rsc@golang.org)?

Thanks.

@rsc rsc added this to the Go1.6 milestone Oct 23, 2015
@ghost
Copy link
Author

@ghost ghost commented Oct 24, 2015

The failing one or the one from the example? The failing one is internal unfortunately, I will as my security manager what he thinks about that.

@rsc
Copy link
Contributor

@rsc rsc commented Nov 5, 2015

@dg-ratiodata, any failing certificate will do. If the one from the example fails, that's fine too/ (I don't have time to go through whatever is required to fish it out of the Docker image.) Thanks.

@ghost
Copy link
Author

@ghost ghost commented Nov 5, 2015

Ok.

@rsc
Copy link
Contributor

@rsc rsc commented Nov 26, 2015

@dg-ratiodata any update on a copy of the failing certificate?

@ghost
Copy link
Author

@ghost ghost commented Nov 26, 2015

No. I asked them, but didn't get an info. I am going to ping them again.

@rsc
Copy link
Contributor

@rsc rsc commented Dec 3, 2015

Any news? FWIW, this is the sort of thing I'm looking for, except that this program succeeds: http://play.golang.org/p/aW9S8XQcNJ.

The certs in that program are the samples that you linked to earlier. They are fine as far as I can tell. It should be the case that if you paste your real certificate into the program instead, the program should fail, with an error coming back from ParseCertificates.

Note that 'BEGIN CERTIFICATE' data only contains a public key, not a private one. If you're worried about exposing the non-cryptographic details (view with openssl x509 -in foo.crt -text) publicly but are okay with emailing it to me (rsc@google.com), that's fine too.

Thanks.

@ghost
Copy link
Author

@ghost ghost commented Dec 4, 2015

Great. Will have a look. Thanks a lot for your patience.

@ghost
Copy link
Author

@ghost ghost commented Dec 4, 2015

I got this output after adding the certificates. I nailed it down to our internal root CA certificate. All other certs in the chain can be parsed. Besides that, running openssl worked fine with this certificate.

% go run parse.go
2015/12/04 10:08:30 failed to parse certificate: asn1: syntax error: sequence truncated
exit status 1

Hope to get a repsonse from our security guys soon.

@gopherbot
Copy link

@gopherbot gopherbot commented Dec 8, 2015

CL https://golang.org/cl/17550 mentions this issue.

@ghost
Copy link
Author

@ghost ghost commented Dec 9, 2015

@rsc Wow, that was quick. Thanks for fixing this issue.

@rsc rsc closed this in be7544b Dec 17, 2015
@golang golang locked and limited conversation to collaborators Dec 29, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
You can’t perform that action at this time.