New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd/go: get -insecure not supported in modules #27049

Closed
kminami opened this Issue Aug 17, 2018 · 9 comments

Comments

Projects
None yet
6 participants
@kminami

kminami commented Aug 17, 2018

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?

go version go1.11rc1 linux/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOCACHE="/root/.cache/go-build"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/go"
GOPROXY=""
GORACE=""
GOROOT="/usr/local/go"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/myapp/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build371106128=/tmp/go-build -gno-record-gcc-switches"

What did you do?

If possible, provide a recipe for reproducing the error.
A complete runnable program is good.
A link on play.golang.org is best.

go get -v -insecure example.com/my/project

What did you expect to see?

Fetching https://example.com/my/project?go-get=1
https fetch failed: Get https://example.com/my/project?go-get=1: dial tcp x.x.x.x:443: connect: connection refused
Fetching http://example.com/my/project?go-get=1
Parsing meta tags from http://example.com/my/project?go-get=1 (status code 200)
example.com/my/project (download)
example.com/my/project

What did you see instead?

Fetching https://example.com/my/project?go-get=1
https fetch failed: Get https://example.com/my/project?go-get=1: dial tcp x.x.x.x:443: connect: connection refused
Fetching https://example.com/my?go-get=1
https fetch failed: Get https://example.com/my?go-get=1: dial tcp x.x.x.x:443: connect: connection refused
Fetching https://example.com?go-get=1
https fetch failed: Get https://example.com?go-get=1: dial tcp x.x.x.x:443: connect: connection refused
go get example.com/my/project: unrecognized import path "example.com/my/project" (https fetch: Get https://example.com/my/project?go-get=1: dial tcp x.x.x.x:443: connect: connection refused)

@kminami kminami changed the title from `go get -insecure` not supported in modules? to cmd/go: `go get -insecure` not supported in modules? Aug 17, 2018

@mvdan

This comment has been minimized.

Member

mvdan commented Aug 17, 2018

cc @bcmills @myitcv

This does seem like a bug to me, unless module-aware go get behaves like this for a specific reason.

@mvdan mvdan changed the title from cmd/go: `go get -insecure` not supported in modules? to cmd/go: get -insecure not supported in modules Aug 17, 2018

@mvdan mvdan added this to the Go1.11 milestone Aug 17, 2018

@kardianos

This comment has been minimized.

Contributor

kardianos commented Aug 17, 2018

It was intentional. Further reading: #25434 .

@rsc

This comment has been minimized.

Contributor

rsc commented Aug 17, 2018

Yes, the problem is that lots of commands now fetch from the network, so either we need to make them all accept -insecure and teach people to use it always (very sad) or else find a different way forward.

I'd like to hear more about what people use -insecure for, especially now that SSL certs are free.

@rsc

This comment has been minimized.

Contributor

rsc commented Aug 17, 2018

Leaving for Go 1.12 regardless.

@rsc rsc modified the milestones: Go1.11, Go1.12 Aug 17, 2018

@kminami

This comment has been minimized.

kminami commented Aug 17, 2018

Thank you for the reference. I understood the current status.

We are using a GitLab server on a private network with private domain name such as gitlab.internal.mycompany.com.
We can use private CA certs, but it's a bit hard to automate operations.
I will try to use free SSL certs like let's encrypt with combining with public DNS.
However, introduction of -insecure mechanism to modules will still help us.

By the way, some descriptions about current status in the release notes or Module-aware go get will also help. Espetially, I think the latter is very misleading.

@rsc

This comment has been minimized.

Contributor

rsc commented Aug 18, 2018

Moving back to Go 1.11. I didn't realize the module get docs said -insecure should work.

@rsc rsc modified the milestones: Go1.12, Go1.11 Aug 18, 2018

@rsc

This comment has been minimized.

Contributor

rsc commented Aug 18, 2018

OK, that was just a bug. get -insecure will work. Automatic download during 'go build' will always use secure mode, so you'll just have to run go get more often than you might otherwise. (The same amount as with GOPATH, but everyone else will be running it less with modules.)

@gopherbot

This comment has been minimized.

gopherbot commented Aug 18, 2018

Change https://golang.org/cl/129801 mentions this issue: cmd/go: fix module get -insecure

@gopherbot gopherbot closed this in bf80e3b Aug 18, 2018

komuw added a commit to komuw/go that referenced this issue Dec 4, 2018

cmd/go: fix module get -insecure
Need to actually use the flag for it to take effect.

Fixes golang#27049.

Change-Id: I57227b45f46f9dd67ecbf87c11bb2d08124bcfa0
Reviewed-on: https://go-review.googlesource.com/129801
Run-TryBot: Russ Cox <rsc@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
@soniah

This comment has been minimized.

soniah commented Dec 6, 2018

@rsc my issue with -insecure is that I'm working in a restricted environment that requires using an untrusted SSL certificate ie it's doing man-in-the-middle to decode/verify all comms. Yes the infrastructure should be setup to add the cert to the trusted key store, but it hasn't been and I can't change it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment