Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: error "x509: certificate signed by unknown authority" on valid SSL chain #16589

Closed
rasky opened this issue Aug 3, 2016 · 7 comments
Closed
Assignees
Milestone

Comments

@rasky
Copy link
Member

@rasky rasky commented Aug 3, 2016

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?

go version go1.7rc4 darwin/amd64

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOOS="darwin"
GOPATH="/Users/rasky/Sources/go"
GORACE=""
GOROOT="/usr/local/Cellar/go/1.7rc4/libexec"
GOTOOLDIR="/usr/local/Cellar/go/1.7rc4/libexec/pkg/tool/darwin_amd64"
CC="clang"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/lw/jdbk7p_d4gj6qpydczpbw2080000gn/T/go-build080916688=/tmp/go-build -gno-record-gcc-switches -fno-common"
CXX="clang++"
CGO_ENABLED="1"

What did you do?

package main

import (
    "io"
    "net/http"
    "os"
)

func main() {
    resp, err := http.Get("https://blitznote.com/src/caddy.upload?go-get=1")
    if err != nil {
        panic(err)
    }

    io.Copy(os.Stdout, resp.Body)
}

What did you expect to see?

Some HTML output

What did you see instead?

panic: Get https://blitznote.com/src/caddy.upload?go-get=1: x509: certificate signed by unknown authority

goroutine 1 [running]:
panic(0x1fcd00, 0xc420400060)
    /usr/local/Cellar/go/1.7rc4/libexec/src/runtime/panic.go:500 +0x1a1
main.main()
    /private/tmp/test.go:12 +0xd0
exit status 2

Notice that visiting the same link with Safari produces no SSL error. The SSL certificate chain seems correct and the Comodo ECC CA is in OS X trust store.

@mdempsky
Copy link
Member

@mdempsky mdempsky commented Aug 3, 2016

/cc @agl

@jmassara
Copy link

@jmassara jmassara commented Aug 3, 2016

I believe this is a dup of #16532.

@bradfitz bradfitz changed the title net/http: error "x509: certificate signed by unknown authority" on valid SSL chain crypto/x509: error "x509: certificate signed by unknown authority" on valid SSL chain Aug 3, 2016
@josharian
Copy link
Contributor

@josharian josharian commented Aug 4, 2016

This isn't a dup of #16532, I think, because that issue is for the non-cgo code path, and go env indicates that cgo is enabled here.

@quentinmit quentinmit added this to the Go1.8 milestone Aug 4, 2016
@wmark
Copy link

@wmark wmark commented Aug 5, 2016

@rasky, I have noticed you are using OS darwin. Do you get the same error with, say, this site?
https://scotthelme.co.uk/ecdsa-certificates/

I have not been able to reproduce this using go version go1.7rc4 linux/amd64:

$ docker pull golang:1.7rc4
$ docker run -ti --rm d7e6aaff64ae

go version
# go version go1.7rc4 linux/amd64

# [… paste the above script as 16589.go]
go run 16589.go
CGO_ENABLED="1" go run 16589.go
# both don't panic
@rasky
Copy link
Member Author

@rasky rasky commented Aug 5, 2016

@wmark yes, this bug is OSX-only, and it doesn't reproduce with the URL you linked.

@agl agl self-assigned this Aug 19, 2016
@xfreshx
Copy link

@xfreshx xfreshx commented Oct 5, 2016

@rasky unfortunately have the same on windows x86. I built my app on win64 with

  • GOARCH=386
  • CGO_ENABLED=1
    on win64 everything is fine. OS X version (with only CGO_ENABLED=1) is fine as well.

Any solution available yet?

@agl
Copy link
Contributor

@agl agl commented Feb 8, 2017

Best I can tell, this is caused by "COMODO ECC Certification Authority" not being included in some OS X versions.

With 10.10, it's not included. That site can be loaded by Safari because the intermediate has an AIA pointer to a cross-sign from the AddTrust ECC root, which /is/ included. But the site isn't serving that cross-sign for Go.

With 10.12, the root is included and the test loads.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
10 participants
You can’t perform that action at this time.