Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: root_darwin.go does not include trusted root certificates from System/Login keychains #20990

Closed
raszi opened this issue Jul 12, 2017 · 10 comments

Comments

@raszi
Copy link

@raszi raszi commented Jul 12, 2017

This is a bug for tracking the work on the certificate handling in the not cgo version of go.

Intentionally copied over the original bug description from here #14514.

  1. Tested on go version go1.6 darwin/amd64 and go version go1.5.3 darwin/amd64.
  2. OS X Yosemite, OS X El Capitan
  3. I attempted to connect to a TLS service with a certificate signed by an internal, enterprise certificate authority. The CA certificate was added to the System keychain.
  4. I expected to be able to connect to the TLS service without any issue as the certificate is signed by a CA I trust.
  5. The program failed to connect to the TLS service, because the CA certificate that issued the certificate is not installed in the SystemRootCertificates.keychain that Go loads trusted roots from.

On OS X Yosemite, this issue can be mitigated by installing the certificate into SystemRootCertificates.keychain via /usr/bin/security from the terminal:

sudo security add-trusted-cert -k /System/Library/Keychains/SystemRootCertificates.keychain <certificate>

However, on El Capitan this is no longer possible without turning off security protections enabled by Apple.

execSecurityRoots should try to load additional certificates from the System keychain located at /Library/Keychains/System.keychain, and the Login keychain (~/Library/Keychains/login.keychain).

This bug makes distributing Go clients (especially 3rd-party developed) difficult in organizations with an internal PKI.

@josharian josharian added this to the Go1.10 milestone Jul 12, 2017
@josharian
Copy link
Contributor

@josharian josharian commented Jul 12, 2017

I'm really glad to see the non-cgo version of certs getting some careful attention.

@mastercactapus
Copy link
Contributor

@mastercactapus mastercactapus commented Aug 19, 2017

@raszi Give 1.9rc2 a try, it should already have the fix for this.
https://go-review.googlesource.com/c/36941

@lmayorga1980
Copy link

@lmayorga1980 lmayorga1980 commented Sep 15, 2017

I recompiled golang go version devel +165c15afa3 Fri Sep 15 17:29:51 2017 +0000 darwin/amd64 and compiled my own version of Packer hashicorp/packer#5230 but still got the x509 error.

* Post-processor failed: Failed to start import from s3://<some-bucket>/packer-import-1505501667.ova: RequestError: send request failed
caused by: Post https://ec2.us-east-1.amazonaws.com/: x509: certificate signed by unknown authority

OSX: 10.12.6 (16G29)

Any advice on how to get a workaround.

@mastercactapus
Copy link
Contributor

@mastercactapus mastercactapus commented Sep 15, 2017

@lmayorga1980 is that with, or without, cgo disabled? (try setting CGO_ENABLED=0 when building)

@lmayorga1980
Copy link

@lmayorga1980 lmayorga1980 commented Sep 15, 2017

I didn't 😢 . I will try again when building go.

@mastercactapus
Copy link
Contributor

@mastercactapus mastercactapus commented Sep 16, 2017

Set CGO_ENABLED=0 when building Packer (or whichever app/program you're testing) to get a pure-go version, no need to rebuild Go itself.

@lmayorga1980
Copy link

@lmayorga1980 lmayorga1980 commented Sep 17, 2017

Confirmed. It works for me 👍 🎉 🎈 .

My steps:

  1. brew install golang. This will install 1.9 from the binary releases.
  2. Recompiled Golang from master branch in OSX Sierra.
  3. brew uninstall golang
  4. Add my compiled go to the PATH
  5. Compiled Hashicorp/Packer from source.

Thanks.

@lmayorga1980
Copy link

@lmayorga1980 lmayorga1980 commented Sep 29, 2017

@mastercactapus Do you know when this will be available in the core go release?

@ianlancetaylor
Copy link
Contributor

@ianlancetaylor ianlancetaylor commented Sep 29, 2017

@lmayorga1980 I'm not sure whether anything was committed because of this issue, but the 1.10 Go release is scheduled for February 1. https://github.com/golang/go/wiki/Go-Release-Cycle

@ianlancetaylor
Copy link
Contributor

@ianlancetaylor ianlancetaylor commented Sep 29, 2017

Actually, as far as I can tell from the comments above, this is fixed in 1.9, so it is already in a core Go release. But to get a non-cgo version, you'll have to build it yourself, following the comments above, or as described at https://golang.org/doc/install/source setting CGO_ENABLED=0 in the environment.

I'm going to close this issue because I don't see anything to do. Please comment if you disagree.

@golang golang locked and limited conversation to collaborators Sep 29, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
7 participants
You can’t perform that action at this time.