Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/tls: go get failed on Mac with "x509: certificate signed by unknown authority" #24147

Closed
phye opened this issue Feb 27, 2018 · 15 comments
Closed

Comments

@phye
Copy link

@phye phye commented Feb 27, 2018

Please answer these questions before submitting your issue. Thanks!

What did you do?

If possible, provide a recipe for reproducing the error.
A complete runnable program is good.
A link on play.golang.org is best.
$ go get -d k8s.io/kubernetes
package k8s.io/kubernetes: unrecognized import path "k8s.io/kubernetes" (https fetch: Get https://k8s.io/kubernetes?go-get=1: x509: certificate signed by unknown authority)

What did you expect to see?

Packages can be pulled down and installed directly

What did you see instead?

The x509 certificate error prevents everything

System details

go version go1.10 darwin/amd64
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/phye/Library/Caches/go-build"
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOOS="darwin"
GOPATH="/Volumes/gitws/go"
GORACE=""
GOROOT="/usr/local/Cellar/go/1.10/libexec"
GOTMPDIR=""
GOTOOLDIR="/usr/local/Cellar/go/1.10/libexec/pkg/tool/darwin_amd64"
GCCGO="gccgo"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/ch/0fcsjfy14kd6jgpzwky0ggvm0000gn/T/go-build042818790=/tmp/go-build -gno-record-gcc-switches -fno-common"
GOROOT/bin/go version: go version go1.10 darwin/amd64
GOROOT/bin/go tool compile -V: compile version go1.10
uname -v: Darwin Kernel Version 17.4.0: Sun Dec 17 09:19:54 PST 2017; root:xnu-4570.41.2~1/RELEASE_X86_64
ProductName:	Mac OS X
ProductVersion:	10.13.3
BuildVersion:	17D102
lldb --version: lldb-900.0.64
  Swift-4.0
@adamdecaf

This comment has been minimized.

Copy link
Contributor

@adamdecaf adamdecaf commented Feb 27, 2018

@phye Have you modified your keychain certificate trust? k8s.io looks to use Let's Encrypt which should be trusted on your mac.

$ openssl s_client -connect k8s.io:443 -showcerts

 0 s:/CN=k8s.io
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
@phye

This comment has been minimized.

Copy link
Author

@phye phye commented Feb 28, 2018

I don't think I've ever modified my keychain certificate trust. Anyway, since I'm not familiar with encrypt/decrypt, if you can provide me hint to check that, I can provide more info follow your instructions.

On the other hand, I've tried curl -kv https://k8s.io:443 on my mac and it works just fine, only go get failed with x509 certificate sign error.

@adamdecaf

This comment has been minimized.

Copy link
Contributor

@adamdecaf adamdecaf commented Feb 28, 2018

curl -k skips certificate verification. On a mac curl might use a different certificate store (openssl) than what Go uses depending on how it's installed.

Could you paste the full output of curl -kv https://k8s.io:443 and verify "DST Root CA X3" is in your keychain and trusted?

k8s.io is currently serving a Let's Encrypt certificate: https://letsencrypt.org/certificates/

That requires either DST Root CA X3 or ISRG Root X1 trusted on your mac.

On my Mac DST Root CA X3 exists and is trusted. A go get -v -d k8s.io/kubernetes works for me and I'm on macOS 10.13.3. (Same as you)

@bradfitz bradfitz changed the title Various go get failed with "x509: certificate signed by unknown authority" crypto/tls: go get failed on Mac with "x509: certificate signed by unknown authority" Feb 28, 2018
@phye

This comment has been minimized.

Copy link
Author

@phye phye commented Mar 1, 2018

I'm sorry, I meant curl -v https://k8s.io:443 works for me on my mac, typo to curl -kv...
Here's output for curl -v https://k8s.io:443:

$ curl -v https://k8s.io:443                                                                                      [18-03-01 10:26:55]
* Rebuilt URL to: https://k8s.io:443/
*   Trying 23.236.58.218...
* TCP_NODELAY set
* Connected to k8s.io (23.236.58.218) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=k8s.io
*  start date: Feb 16 19:26:58 2018 GMT
*  expire date: May 17 19:26:58 2018 GMT
*  subjectAltName: host "k8s.io" matched cert's "k8s.io"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: k8s.io
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Server: nginx/1.10.3
< Date: Thu, 01 Mar 2018 02:29:02 GMT
< Content-Type: text/html
< Content-Length: 185
< Connection: keep-alive
< Location: https://kubernetes.io/
<

Here's go get -v -d k8s.io/kubernetes:

$ go get -v -d k8s.io/kubernetes                                                                                  [18-03-01 10:31:27]
Fetching https://k8s.io/kubernetes?go-get=1
https fetch failed: Get https://k8s.io/kubernetes?go-get=1: x509: certificate signed by unknown authority
package k8s.io/kubernetes: unrecognized import path "k8s.io/kubernetes" (https fetch: Get https://k8s.io/kubernetes?go-get=1: x509: certificate signed by unknown authority)

Strange enough, I only recalled that I've once imported some certificate for our customer, but never deleted any.

I further checked DST Root CA and ISRG Root X1, and they're all there in my Keychain Access. Somehow go simply could not find them or ignore them?

Regarding how go is installed, I simply install it via homebrew: brew install go.

@adamdecaf

This comment has been minimized.

Copy link
Contributor

@adamdecaf adamdecaf commented Mar 1, 2018

That's odd. I was able to reproduce the error if I marked DST Root CA X3 as 'Never Trust' in keychain.

The cgo code which collects certs doesn't offer much for debug logging. Are you willing to add some and see what's outputted?

I'm going to file a CL, which you could use, to add some debug logging for this going forward.

@gopherbot

This comment has been minimized.

Copy link

@gopherbot gopherbot commented Mar 1, 2018

Change https://golang.org/cl/97801 mentions this issue: crypto/x509: print more debug info for cgo darwin path

@phye

This comment has been minimized.

Copy link
Author

@phye phye commented Mar 1, 2018

Sure, let me follow the CL to provide more info. Thanks for your patient help!

@phye

This comment has been minimized.

Copy link
Author

@phye phye commented Mar 1, 2018

I was trying to apply your patch, but apparently the diff you provided does not match my root_cgo_darwin.go(attached).

I was using go 1.10, can you send a matching one?

$ go version                                                                                                                   [18-03-01 12:18:07]
go version go1.10 darwin/amd64

Also, do you know how to apply your diff directly via CLIs? I've never applied golang CL before, hence the silly question.

root_cgo_darwin.go.txt

@adamdecaf

This comment has been minimized.

Copy link
Contributor

@adamdecaf adamdecaf commented Mar 1, 2018

@phye You can Download the patch and apply it like so. Afterwords, you'll need to make.bash in src and then you should have a go binary. (In ../bin/go from src/)

$ base64 -D ~/0ee3287.diff.base64 | git apply

I forgot to include some sample code you can use to print the system certs.

package main

import (
	"crypto/x509"
	"fmt"
	"time"
)

func main() {
	start := time.Now()
	certs, err := x509.SystemCertPool()
	end := time.Now()
	if err != nil {
		panic(err)
	}
	fmt.Printf("found %d certs in %v\n", len(certs.Subjects()), end.Sub(start))
}
$ GODEBUG=x509roots=1 CGO_ENABLED=1 ../bin/go run main.go

Thanks for helping debug this!

@phye

This comment has been minimized.

Copy link
Author

@phye phye commented Mar 2, 2018

I'm sorry @adamdecaf, as I stated earlier, your diff does not match what I have locally. Here'e the apply output:

phye:go/ $ base64 -D ~/Downloads/0ee3287.diff.base64 | git apply --verbose
Checking patch src/crypto/x509/root_cgo_darwin.go...
error: while searching for:
import "C"
import (
        "errors"
        "unsafe"
)


error: patch failed: src/crypto/x509/root_cgo_darwin.go:215
error: src/crypto/x509/root_cgo_darwin.go: patch does not apply
Checking patch src/crypto/x509/root_darwin.go...
error: while searching for:
        "sync"
)

var debugExecDarwinRoots = strings.Contains(os.Getenv("GODEBUG"), "x509roots=1")

func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate, err error) {
        return nil, nil

error: patch failed: src/crypto/x509/root_darwin.go:22
error: src/crypto/x509/root_darwin.go: patch does not apply

Can you send me a new patch?

@adamdecaf

This comment has been minimized.

Copy link
Contributor

@adamdecaf adamdecaf commented Mar 2, 2018

@phye What git hash are you on? I'm basing the change off the Go1.10 tag.

https://github.com/golang/go/blob/go1.10/src/crypto/x509/root_cgo_darwin.go

Looking at your file again (#24147 (comment)) you might be on an older version. Around go1.5

This version looks very similar to the one you posted. https://github.com/golang/go/blob/go1.5/src/crypto/x509/root_cgo_darwin.go

@phye

This comment has been minimized.

Copy link
Author

@phye phye commented Mar 3, 2018

You're right @adamdecaf !
Firstly, I've made some silly mistake that I came to know only after reading your reply... There're actually two mixing go environments in my mac: 1) A very old 1.5 go installed manually by me via official packages for OS X, 2) A relatively fresh go 1.10 environment that I installed (later) via brew install go. When pasting the root_cgo_darwin.go I was uploading the wrong file, also I was applying the patch in the wrong 1.5 folder...

Having realized the silly mistake above, I tried to completely remove the 'brew install' 1.10 go version, the very old 1.5 go and tried to reinstall go 1.10 via the official OSX golang 1.10 packages. But unfortunately, I still cannot run go get -d k8s.io/kubernetes.

So, here's the output after applying your patch:

phye:x509/ $ GODEBUG=x509roots=1 CGO_ENABLED=1 ~/go1.10/bin/go run main.go                                                                [18-03-03 13:52:41]
roots=190, trustedRoots=188, untrustedRoots=3
crypto/x509: trusted root CN=Entrust.net Certification Authority (2048),OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)+OU=(c) 1999 Entrust.net Limited,O=Entrust.net
crypto/x509: trusted root SERIALNUMBER=G63287510,CN=ANF Global Root CA,OU=ANF Clase 1 CA,O=ANF Autoridad de Certificacion,L=Barcelona (see current address at http://www.anf.es/es/address-direccion.html ),ST=Barcelona,C=ES
crypto/x509: trusted root CN=Actalis Authentication Root CA,O=Actalis S.p.A./03358520967,L=Milan,C=IT
crypto/x509: trusted root CN=AddTrust Class 1 CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
crypto/x509: trusted root CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
crypto/x509: trusted root CN=AffirmTrust Commercial,O=AffirmTrust,C=US
crypto/x509: trusted root CN=AffirmTrust Networking,O=AffirmTrust,C=US
crypto/x509: trusted root CN=AffirmTrust Premium ECC,O=AffirmTrust,C=US
crypto/x509: trusted root CN=AffirmTrust Premium,O=AffirmTrust,C=US
crypto/x509: trusted root CN=Amazon Root CA 1,O=Amazon,C=US
crypto/x509: trusted root CN=Amazon Root CA 2,O=Amazon,C=US
crypto/x509: trusted root CN=Amazon Root CA 3,O=Amazon,C=US
crypto/x509: trusted root CN=Amazon Root CA 4,O=Amazon,C=US
crypto/x509: trusted root CN=Apple Root CA - G2,OU=Apple Certification Authority,O=Apple Inc.,C=US
crypto/x509: trusted root CN=Apple Root CA - G3,OU=Apple Certification Authority,O=Apple Inc.,C=US
crypto/x509: trusted root CN=Apple Root CA,OU=Apple Certification Authority,O=Apple Inc.,C=US
crypto/x509: trusted root CN=Apple Root Certificate Authority,OU=Apple Computer Certificate Authority,O=Apple Computer\, Inc.,C=US
crypto/x509: trusted root CN=Atos TrustedRoot 2011,O=Atos,C=DE
crypto/x509: trusted root CN=Autoridad de Certificacion Raiz del Estado Venezolano,OU=Superintendencia de Servicios de Certificacion Electronica,O=Sistema Nacional de Certificacion Electronica,L=Caracas,ST=Distrito Capital,C=VE
crypto/x509: trusted root CN=Admin-Root-CA,OU=Services+OU=Certification Authorities,O=admin,C=ch
crypto/x509: trusted root CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE
crypto/x509: trusted root CN=Buypass Class 2 Root CA,O=Buypass AS-983163327,C=NO
crypto/x509: trusted root CN=Buypass Class 3 Root CA,O=Buypass AS-983163327,C=NO
crypto/x509: trusted root CN=VeriSign Class 1 Public Primary Certification Authority - G3,OU=VeriSign Trust Network+OU=(c) 1999 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US
crypto/x509: trusted root CN=VeriSign Class 2 Public Primary Certification Authority - G3,OU=VeriSign Trust Network+OU=(c) 1999 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US
crypto/x509: trusted root CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU=VeriSign Trust Network+OU=(c) 1999 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US
crypto/x509: trusted root CN=CA Disig Root R1,O=Disig a.s.,L=Bratislava,C=SK
crypto/x509: trusted root CN=CA Disig Root R2,O=Disig a.s.,L=Bratislava,C=SK
crypto/x509: trusted root CN=CFCA EV ROOT,O=China Financial Certification Authority,C=CN
crypto/x509: trusted root CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
crypto/x509: trusted root CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
crypto/x509: trusted root CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
crypto/x509: trusted root CN=Certplus Root CA G1,O=Certplus,C=FR
crypto/x509: trusted root CN=Certplus Root CA G2,O=Certplus,C=FR
crypto/x509: trusted root CN=Certigna,O=Dhimyotis,C=FR
crypto/x509: trusted root CN=Certinomis - Root CA,OU=0002 433998903,O=Certinomis,C=FR
crypto/x509: trusted root CN=Certinomis - Autorité Racine,OU=0002 433998903,O=Certinomis,C=FR
crypto/x509: trusted root CN=Certum Trusted Network CA 2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL
crypto/x509: trusted root OU=ePKI Root Certification Authority,O=Chunghwa Telecom Co.\, Ltd.,C=TW
crypto/x509: trusted root CN=ComSign CA,O=ComSign,C=IL
crypto/x509: trusted root CN=ComSign Global Root CA,O=ComSign Ltd.,C=IL
crypto/x509: trusted root CN=ComSign Secured CA,O=ComSign,C=IL
crypto/x509: trusted root CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
crypto/x509: trusted root CN=D-TRUST Root Class 3 CA 2 2009,O=D-Trust GmbH,C=DE
crypto/x509: trusted root CN=D-TRUST Root Class 3 CA 2 EV 2009,O=D-Trust GmbH,C=DE
crypto/x509: trusted root CN=DST Root CA X4,O=Digital Signature Trust Co.
crypto/x509: trusted root CN=D-TRUST Root CA 3 2013,O=D-Trust GmbH,C=DE
crypto/x509: trusted root CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE
crypto/x509: trusted root CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
crypto/x509: trusted root CN=DigiCert Assured ID Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US
crypto/x509: trusted root CN=DigiCert Assured ID Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US
crypto/x509: trusted root CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
crypto/x509: trusted root CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US
crypto/x509: trusted root CN=DigiCert Global Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US
crypto/x509: trusted root CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
crypto/x509: trusted root CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US
crypto/x509: trusted root CN=E-Tugra Certification Authority,OU=E-Tugra Sertifikasyon Merkezi,O=E-Tuğra EBG Bilişim Teknolojileri ve Hizmetleri A.Ş.,L=Ankara,C=TR
crypto/x509: trusted root CN=Echoworx Root CA2,OU=Certification Services,O=Echoworx Corporation,L=Toronto,ST=Ontario,C=CA
crypto/x509: trusted root CN=Entrust Root Certification Authority,OU=www.entrust.net/CPS is incorporated by reference+OU=(c) 2006 Entrust\, Inc.,O=Entrust\, Inc.,C=US
crypto/x509: trusted root CN=Entrust Root Certification Authority - EC1,OU=See www.entrust.net/legal-terms+OU=(c) 2012 Entrust\, Inc. - for authorized use only,O=Entrust\, Inc.,C=US
crypto/x509: trusted root CN=Entrust Root Certification Authority - G2,OU=See www.entrust.net/legal-terms+OU=(c) 2009 Entrust\, Inc. - for authorized use only,O=Entrust\, Inc.,C=US
crypto/x509: trusted root CN=Common Policy,OU=FBCA,O=U.S. Government,C=us
crypto/x509: trusted root CN=Federal Common Policy CA,OU=FPKI,O=U.S. Government,C=US
crypto/x509: trusted root CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,C=ES
crypto/x509: trusted root OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, Inc.,C=US
crypto/x509: trusted root CN=GeoTrust Primary Certification Authority - G2,OU=(c) 2007 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
crypto/x509: trusted root CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
crypto/x509: trusted root CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US
crypto/x509: trusted root CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign
crypto/x509: trusted root CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE
crypto/x509: trusted root CN=GlobalSign,OU=GlobalSign ECC Root CA - R4,O=GlobalSign
crypto/x509: trusted root CN=GlobalSign,OU=GlobalSign ECC Root CA - R5,O=GlobalSign
crypto/x509: trusted root CN=GlobalSign,OU=GlobalSign Root CA - R2,O=GlobalSign
crypto/x509: trusted root CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US
crypto/x509: trusted root CN=SwissSign Gold Root CA - G3,O=SwissSign AG,C=CH
crypto/x509: trusted root CN=Hongkong Post Root CA 1,O=Hongkong Post,C=HK
crypto/x509: trusted root CN=Hellenic Academic and Research Institutions RootCA 2011,O=Hellenic Academic and Research Institutions Cert. Authority,C=GR
crypto/x509: trusted root CN=I.CA - Qualified Certification Authority\, 09/2009,OU=I.CA - Accredited Provider of Certification Services,O=První certifikační autorita\, a.s.,C=CZ
crypto/x509: trusted root CN=IdenTrust Commercial Root CA 1,O=IdenTrust,C=US
crypto/x509: trusted root CN=IdenTrust Public Sector Root CA 1,O=IdenTrust,C=US
crypto/x509: trusted root CN=DST ACES CA X6,OU=DST ACES,O=Digital Signature Trust,C=US
crypto/x509: trusted root CN=Izenpe.com,O=IZENPE S.A.,C=ES
crypto/x509: trusted root CN=Izenpe.com,O=IZENPE S.A. - CIF A-01337260-RMerc.Vitoria-Gasteiz T1055 F62 S8,L=Avda del Mediterraneo Etorbidea 3 - 01010 Vitoria-Gasteiz,C=ES
crypto/x509: trusted root CN=Izenpe.com,O=IZENPE S.A.,C=ES
crypto/x509: trusted root CN=ApplicationCA2 Root,OU=GPKI,O=Japanese Government,C=JP
crypto/x509: trusted root CN=SZAFIR ROOT CA,O=Krajowa Izba Rozliczeniowa S.A.,C=PL
crypto/x509: trusted root CN=Microsec e-Szigno Root CA 2009,O=Microsec Ltd.,L=Budapest,C=HU
crypto/x509: trusted root CN=NetLock Arany (Class Gold) Főtanúsítvány,OU=Tanúsítványkiadók (Certification Services),O=NetLock Kft.,L=Budapest,C=HU
crypto/x509: trusted root CN=Network Solutions Certificate Authority,O=Network Solutions L.L.C.,C=US
crypto/x509: trusted root CN=OpenTrust Root CA G1,O=OpenTrust,C=FR
crypto/x509: trusted root CN=OpenTrust Root CA G2,O=OpenTrust,C=FR
crypto/x509: trusted root CN=OpenTrust Root CA G3,O=OpenTrust,C=FR
crypto/x509: trusted root CN=Staat der Nederlanden Root CA - G3,O=Staat der Nederlanden,C=NL
crypto/x509: trusted root CN=SwissSign Platinum Root CA - G3,O=SwissSign AG,C=CH
crypto/x509: trusted root CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL
crypto/x509: trusted root CN=Chambers of Commerce Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
crypto/x509: trusted root CN=Global Chambersign Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
crypto/x509: trusted root OU=Security Communication RootCA1,O=SECOM Trust.net,C=JP
crypto/x509: trusted root OU=Security Communication EV RootCA1,O=SECOM Trust Systems CO.\,LTD.,C=JP
crypto/x509: trusted root OU=Security Communication RootCA2,O=SECOM Trust Systems CO.\,LTD.,C=JP
crypto/x509: trusted root OU=Starfield Class 2 Certification Authority,O=Starfield Technologies\, Inc.,C=US
crypto/x509: trusted root CN=EE Certification Centre Root CA,O=AS Sertifitseerimiskeskus,C=EE
crypto/x509: trusted root CN=SwissSign Silver Root CA - G3,O=SwissSign AG,C=CH
crypto/x509: trusted root CN=Sonera Class2 CA,O=Sonera,C=FI
crypto/x509: trusted root CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL
crypto/x509: trusted root CN=Starfield Root Certificate Authority - G2,O=Starfield Technologies\, Inc.,L=Scottsdale,ST=Arizona,C=US
crypto/x509: trusted root CN=Starfield Services Root Certificate Authority - G2,O=Starfield Technologies\, Inc.,L=Scottsdale,ST=Arizona,C=US
crypto/x509: trusted root CN=StartCom Certification Authority G2,O=StartCom Ltd.,C=IL
crypto/x509: trusted root CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH
crypto/x509: trusted root CN=SwissSign Platinum CA - G2,O=SwissSign AG,C=CH
crypto/x509: trusted root CN=SwissSign Silver CA - G2,O=SwissSign AG,C=CH
crypto/x509: trusted root CN=Swisscom Root CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch
crypto/x509: trusted root CN=Swisscom Root EV CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch
crypto/x509: trusted root CN=Symantec Class 1 Public Primary Certification Authority - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US
crypto/x509: trusted root CN=Symantec Class 1 Public Primary Certification Authority - G6,OU=Symantec Trust Network,O=Symantec Corporation,C=US
crypto/x509: trusted root CN=Symantec Class 2 Public Primary Certification Authority - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US
crypto/x509: trusted root CN=Symantec Class 2 Public Primary Certification Authority - G6,OU=Symantec Trust Network,O=Symantec Corporation,C=US
crypto/x509: trusted root CN=Symantec Class 3 Public Primary Certification Authority - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US
crypto/x509: trusted root CN=Symantec Class 3 Public Primary Certification Authority - G6,OU=Symantec Trust Network,O=Symantec Corporation,C=US
crypto/x509: trusted root CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE
crypto/x509: trusted root CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE
crypto/x509: trusted root CN=TRUST2408 OCES Primary CA,O=TRUST2408,C=DK
crypto/x509: trusted root CN=TWCA Global Root CA,OU=Root CA,O=TAIWAN-CA,C=TW
crypto/x509: trusted root O=Government Root Certification Authority,C=TW
crypto/x509: trusted root CN=TeliaSonera Root CA v1,O=TeliaSonera
crypto/x509: trusted root OU=Trustis FPS Root CA,O=Trustis Limited,C=GB
crypto/x509: trusted root CN=Secure Global CA,O=SecureTrust Corporation,C=US
crypto/x509: trusted root CN=SecureTrust CA,O=SecureTrust Corporation,C=US
crypto/x509: trusted root CN=TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3,OU=Ulusal Elektronik ve Kriptoloji Araştırma Enstitüsü - UEKAE+OU=Kamu Sertifikasyon Merkezi,O=Türkiye Bilimsel ve Teknolojik Araştırma Kurumu - TÜBİTAK,L=Gebze - Kocaeli,C=TR
crypto/x509: trusted root CN=UCA Global Root,O=UniTrust,C=CN
crypto/x509: trusted root CN=UCA Root,O=UniTrust,C=CN
crypto/x509: trusted root CN=USERTrust ECC Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
crypto/x509: trusted root CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
crypto/x509: trusted root CN=UTN-USERFirst-Client Authentication and Email,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
crypto/x509: trusted root CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
crypto/x509: trusted root CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
crypto/x509: trusted root CN=UTN - DATACorp SGC,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
crypto/x509: trusted root CN=Certum CA,O=Unizeto Sp. z o.o.,C=PL
crypto/x509: trusted root CN=VeriSign Class 3 Public Primary Certification Authority - G4,OU=VeriSign Trust Network+OU=(c) 2007 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US
crypto/x509: trusted root CN=VeriSign Universal Root Certification Authority,OU=VeriSign Trust Network+OU=(c) 2008 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US
crypto/x509: trusted root CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US
crypto/x509: trusted root CN=Visa Information Delivery Root CA,OU=Visa International Service Association,O=VISA,C=US
crypto/x509: trusted root CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US
crypto/x509: trusted root CN=OISTE WISeKey Global Root GB CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH
crypto/x509: trusted root CN=OISTE WISeKey Global Root GA CA,OU=Copyright (c) 2005+OU=OISTE Foundation Endorsed,O=WISeKey,C=CH
crypto/x509: trusted root CN=XRamp Global Certification Authority,OU=www.xrampsecurity.com,O=XRamp Security Services Inc,C=US
crypto/x509: trusted root CN=Belgium Root CA2,C=BE
crypto/x509: trusted root OU=certSIGN ROOT CA,O=certSIGN,C=RO
crypto/x509: trusted root CN=Class 2 Primary CA,O=Certplus,C=FR
crypto/x509: trusted root CN=Cisco Root CA 2048,O=Cisco Systems
crypto/x509: trusted root CN=Entrust.net Certification Authority (2048),OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)+OU=(c) 1999 Entrust.net Limited,O=Entrust.net
crypto/x509: trusted root CN=GeoTrust Primary Certification Authority,O=GeoTrust Inc.,C=US
crypto/x509: trusted root CN=ISRG Root X1,O=Internet Security Research Group,C=US
crypto/x509: trusted root CN=KISA RootCA 1,OU=Korea Certification Authority Central,O=KISA,C=KR
crypto/x509: trusted root CN=VRK Gov. Root CA,OU=Certification Authority Services+OU=Varmennepalvelut,O=Vaestorekisterikeskus CA,ST=Finland,C=FI
crypto/x509: trusted root CN=QuoVadis Root Certification Authority,OU=Root Certification Authority,O=QuoVadis Limited,C=BM
crypto/x509: trusted root CN=QuoVadis Root CA 1 G3,O=QuoVadis Limited,C=BM
crypto/x509: trusted root CN=QuoVadis Root CA 2 G3,O=QuoVadis Limited,C=BM
crypto/x509: trusted root CN=QuoVadis Root CA 3,O=QuoVadis Limited,C=BM
crypto/x509: trusted root CN=QuoVadis Root CA 3 G3,O=QuoVadis Limited,C=BM
crypto/x509: trusted root SERIALNUMBER=A82743287,CN=Chambers of Commerce Root - 2008,O=AC Camerfirma S.A.,L=Madrid (see current address at www.camerfirma.com/address),C=EU
crypto/x509: trusted root SERIALNUMBER=A82743287,CN=Global Chambersign Root - 2008,O=AC Camerfirma S.A.,L=Madrid (see current address at www.camerfirma.com/address),C=EU
crypto/x509: trusted root CN=Staat der Nederlanden Root CA - G2,O=Staat der Nederlanden,C=NL
crypto/x509: trusted root CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
crypto/x509: trusted root CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
crypto/x509: trusted root CN=Swisscom Root CA 1,OU=Digital Certificate Services,O=Swisscom,C=ch
crypto/x509: trusted root CN=thawte Primary Root CA - G3,OU=Certification Services Division+OU=(c) 2008 thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=US
crypto/x509: trusted root CN=thawte Primary Root CA,OU=Certification Services Division+OU=(c) 2006 thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=US
crypto/x509: trusted root CN=thawte Primary Root CA - G2,OU=(c) 2007 thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=US
crypto/x509: trusted root CN=TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı,O=TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş. (c) Aralık 2007,L=Ankara,C=TR
crypto/x509: trusted root CN=TWCA Root Certification Authority,OU=Root CA,O=TAIWAN-CA,C=TW
crypto/x509: trusted root CN=cdca,O=Cisco
crypto/x509: trusted root CN=MacIT Registration Authority,OU=Client & Cloud Productivity Services,O=Cisco Systems\, Inc.,L=San Jose,ST=CA,C=US
crypto/x509: trusted root CN=Cisco SSCA2,O=Cisco Systems
crypto/x509: trusted root CN=HydrantID SSL ICA G2,O=HydrantID (Avalanche Cloud Corporation),C=US
crypto/x509: trusted root CN=centrauth
crypto/x509: trusted root CN=ise-trustsec-prod-apac.cisco.com,O=Cisco Systems\, Inc.,L=San Jose,ST=CA,C=US
crypto/x509: trusted root CN=phye-win2008
crypto/x509: trusted root CN=bbs.sjtu.edu.cn
crypto/x509: trusted root CN=phye-win2008
crypto/x509: trusted root CN=phye-s11-win10
crypto/x509: trusted root CN=gd1.wlanportal.chinamobile.com,OU=Information System dept.1505,O=China Mobile Group Guangdong Co.\, Ltd.,L=guangzhou,ST=Guangdong,C=CN
crypto/x509: trusted root CN=phye-s11-win10
crypto/x509: trusted root CN=phye-win2008
crypto/x509: trusted root CN=phye-s11-win10
crypto/x509: trusted root CN=ATT-AEG-DIRECTV - Philip Ye,OU=ATT-AEG-DIRECTV-nds,L=Mac - Safari
crypto/x509: trusted root CN=phye-s11-win10
crypto/x509: trusted root CN=tb1-3-win1
crypto/x509: untrusted root CN=Cisco Root CA M1,O=Cisco
crypto/x509: untrusted root CN=DST Root CA X3,O=Digital Signature Trust Co.
crypto/x509: untrusted root CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM
found 188 certs in 246.925367ms
@phye

This comment has been minimized.

Copy link
Author

@phye phye commented Mar 3, 2018

@adamdecaf I seems to find something odd, the DST Root CA X3,O=Digital Signature Trust Co is marked as trusted in my Keychain Access, not the same as DST Root CA X4, which is simply this cert is valid.

And in the output above, you can find the this certificate is listed in untrusted.

@phye

This comment has been minimized.

Copy link
Author

@phye phye commented Mar 3, 2018

@adamdecaf, somehow I found two DST Root CA X3,O=Digital Signature Trust Co in my keychain access, one is in system keychains, another is in system roots. After I removed the one in system keychains, the other one in system roots becomes valid automatically! Unbelievable!

Anyway, I can go get -d k8s.io/kubernetes now!

Thanks so much for your help!

@adamdecaf

This comment has been minimized.

Copy link
Contributor

@adamdecaf adamdecaf commented Mar 3, 2018

@phye Sure thing! Glad we didn't find a bug.

The System.keychain is useful to modify trust of certificates across all users on a Mac.

@bradfitz (or someone) could you close this out?

https://golang.org/cl/97801 helped debug the problem here and would be nice to get merged.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants
You can’t perform that action at this time.