crypto/x509: CentOS 7 "x509: failed to load system roots and no roots provided" issues. #15749
Comments
|
Related: #14022 and https://golang.org/cl/20253 (see 4th comment from Krzysztof Malinowski). |
|
I'm having a very similar problem under darwin/amd64 under both 1.6.2 and tip. I get an error "x509: certificate signed by unknown authority" for a certificate which is valid and works under chrome, safari, and curl. I've verified that the root authority being used by chrome is in the system keychain. It seems like at a higher level than the _linux.go file it's somehow not parsing all the valid root authorities on the system. |
|
@driusan have you validated your certificate with the openssl client? openssl s_client -showcerts -connect your-uri |
|
@mckn you're right, the openssl client also fails, while every other https client I've tried has no problem validating it. Googling around for the error from openssl ("Verify return code: 21 (unable to verify the first certificate)") is more helpful than the error from Go, as it leads to this: Which suggests the problem is when the intermediate certificate isn't included in the bundle returned by the server web browsers will dynamically retrieve it/verify it, while crypto/x509 (and hence net/http) and openssl just give up. I'll take up the misconfiguration on the server I'm trying to access the sysadmins, but I still think this behaviour should be considered a bug in Go, since most developers will expect the certificate verification from net/http to validate in the same way as their web browser, curl, wget, etc. (Sorry to have hijacked your issue.) |
quentinmit
added
the
NeedsFix
|
CL https://golang.org/cl/30375 mentions this issue. |
Please answer these questions before submitting your issue. Thanks!
go version)?1.6.2
go env)?I am running go 1.6.2 from the official docker container with CentOS7 as the hosting os.
I was using the http.Client and I did a request to a https:// endpoint.
I was expecting to get a 200OK request. If I did the same request with curl or wget it worked like a charm so it wasnt any problems with the certs on the OS.
When I was doing the request I got the following error: "x509: failed to load system roots and no roots provided"
Solution:
So since other tools worked with https on the host I knew that it was not any problems with the certificates. I checked where the ca bundle was located on the host system and compared it with the following file:
https://github.com/golang/go/blob/master/src/crypto/x509/root_linux.go
On CentOS 7 the certificate bundle is located at the following path:
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pemThen there are a link to that file on the following path:
/etc/ssl/ca-bundle.crtNote that it is
.crtinstead of.pemas in theroot_linux.gofile.So I tried to run my container to link the
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pemto/etc/ssl/ca-bundle.pemand everything works. It was a work around to get my application to work but I would prefer it if we can add the/etc/ssl/ca-bundle.crtto the paths in root_linux.go.Hope this is possible! Thanks!
The text was updated successfully, but these errors were encountered: