New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd/go: mod download doesn't allow insecure download #27332

Open
lizihuai opened this Issue Aug 29, 2018 · 29 comments

Comments

Projects
None yet
@lizihuai

lizihuai commented Aug 29, 2018

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?

go version go1.11 linux/amd64

Does this issue reproduce with the latest release?

What operating system and processor architecture are you using (go env)?

What did you do?

GO111MODULE=on go mod download

If possible, provide a recipe for reproducing the error.

error:

go: k8s.io/client-go@v8.0.0+incompatible: unrecognized import path "k8s.io/client-go" (https fetch: Get https://k8s.io/client-go?go-get=1: x509: certificate signed by unknown authority)
go: k8s.io/api@v0.0.0-20180824172530-dd5c735cbff9: unrecognized import path "k8s.io/api" (https fetch: Get https://k8s.io/api?go-get=1: x509: certificate signed by unknown authority)

A complete runnable program is good.
A link on play.golang.org is best.

What did you expect to see?

What did you see instead?

@oiooj

This comment has been minimized.

Member

oiooj commented Aug 29, 2018

@lizihuai Could you run this command and log it.

echo | openssl s_client -showcerts -servername k8s.io -connect k8s.io:443 2>/dev/null | openssl x509 -inform pem -noout -text

It seems that you have no letsencrypt's CA.

@lizihuai

This comment has been minimized.

lizihuai commented Aug 29, 2018

@oiooj
I run the command is failure,error message
unable to load certificate
140308543207312:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE

Explain that I have no CA?

Why do I need a CA when I use go mod?

@lizihuai

This comment has been minimized.

lizihuai commented Aug 29, 2018

@oiooj but I use curl -kv https://k8s.io:443 is success

@fraenkel

This comment has been minimized.

Contributor

fraenkel commented Aug 29, 2018

@lizihuai Drop the -k and the failure should occur.

@lizihuai

This comment has been minimized.

lizihuai commented Aug 29, 2018

@fraenkel Drop the -k is failure . how can I do ? Why can I access other https URLs? I can't access this.

@fraenkel

This comment has been minimized.

Contributor

fraenkel commented Aug 29, 2018

Most OSes have added the LetsEncrypt CA as a trusted CA.
But you might be able to get away with a go get -insecure instead. I am not sure if go mod download is missing the -insecure flag.

@agnivade

This comment has been minimized.

Member

agnivade commented Aug 29, 2018

That is the exact issue - go mod download doesn't have an insecure flag.

go help mod download
usage: go mod download [-dir] [-json] [modules]

/cc @rsc @bcmills

@agnivade agnivade changed the title from [go mod download] use go mod download pkg to cmd/go:mod download doesn't allow insecure download Aug 29, 2018

@agnivade agnivade added this to the Go1.12 milestone Aug 29, 2018

@lizihuai

This comment has been minimized.

lizihuai commented Aug 30, 2018

@fraenkel
use go get insecure can download k8s.io.but the other problem can't download
https://gopkg.in/yaml.v2?go-get=1
@agnivade GO 1.11 can fix this problem ?
Why is there such a problem, what is the cause of this problem? thanks

@FiloSottile FiloSottile changed the title from cmd/go:mod download doesn't allow insecure download to cmd/go: mod download doesn't allow insecure download Aug 30, 2018

@bcmills bcmills added the modules label Sep 13, 2018

@gcstang

This comment has been minimized.

gcstang commented Sep 13, 2018

I have the same issue for a self-generated cert on my private repository when using
go mod tidy
go mod download
etc...

@agnivade

This comment has been minimized.

Member

agnivade commented Sep 14, 2018

Why is there such a problem, what is the cause of this problem? thanks

It is how https works. The client has to verify the cert returned by the server. We can explicitly choose to ignore validating the cert. go get has an option to allow that, go mod download doesn't. Hence the issue.

@gopherbot

This comment has been minimized.

gopherbot commented Sep 17, 2018

Change https://golang.org/cl/135735 mentions this issue: cmd/go/internal/modcmd: mod download allow insecure download

@gcstang

This comment has been minimized.

gcstang commented Sep 17, 2018

I see in the recent change the flag has been added will this also allow it to pick up the setting in GO_FLAGS like other commands can?

i.e. GOFLAGS=-insecure

@bcmills

This comment has been minimized.

Member

bcmills commented Sep 17, 2018

@bcmills

This comment has been minimized.

Member

bcmills commented Sep 17, 2018

If the problem is that go get is missing some needed root certificate, I would rather we add a mechanism to tell go get about the missing certificate rather than ignore all of the ones it already has.

@bcmills

This comment has been minimized.

Member

bcmills commented Sep 17, 2018

(Or, to put it another way: I would prefer that we deprecate the -insecure flag rather than expanding its reach.)

@gcstang

This comment has been minimized.

gcstang commented Sep 17, 2018

I'm good either way, as long as I can add a self generated certificate for it to work.

@fearful-symmetry

This comment has been minimized.

fearful-symmetry commented Oct 3, 2018

Seconding this. My work has a number of internal gitlab instances with self-signed certs. An -insecure flag would be very helpful.

@sgoodrow

This comment has been minimized.

sgoodrow commented Nov 2, 2018

We are dealing with this problem as well. An -insecure flag would be very helpful.

@FiloSottile

This comment has been minimized.

Member

FiloSottile commented Nov 2, 2018

How many people would need the full -insecure shotgun, and why, as opposed to an environment variable to point to a private CA (cough) or self-signed certificate to trust?

@myitcv

This comment has been minimized.

Member

myitcv commented Nov 13, 2018

I guess an alternative here would be to have a GOPROXY implementation that handles this.

@bcmills bcmills modified the milestones: Go1.12, Go1.13 Nov 15, 2018

@daqingshu

This comment has been minimized.

daqingshu commented Dec 3, 2018

How many people would need the full -insecure shotgun, and why, as opposed to an environment variable to point to a private CA (cough) or self-signed certificate to trust?

example1: in some company, use private Gitlab env, just use http and ssh, no https

@cvigo

This comment has been minimized.

cvigo commented Dec 3, 2018

I vote for this.

I filed a related issue this weekend #29059

@bcmills

This comment has been minimized.

Member

bcmills commented Dec 3, 2018

@daqingshu

example1: in some company, use private Gitlab env, just use http and ssh, no https

Why not HTTPS? If you have a domain name, you can either set up a private CA or use a free service (such as Let's Encrypt) to obtain a certificate.

(FWIW, on my home network I have a Let's Encrypt certificate for a machine that otherwise cannot cross my firewall. The configuration to make HTTP challenges work was not terribly difficult, even for an nginx novice like me.)

@FiloSottile

This comment has been minimized.

Member

FiloSottile commented Dec 3, 2018

I filed a related issue this weekend #29059

That's a case where we should (and will) fix the underlying issue, not provide -insecure as a workaround.

@cvigo

This comment has been minimized.

cvigo commented Dec 3, 2018

Agree, however an -insecure option would have given me a workaround for the meantime.

@bcmills

This comment has been minimized.

Member

bcmills commented Dec 3, 2018

@cvigo, for the meantime you can always build in GOPATH mode. (GO111MODULE=auto defaults to GOPATH mode for a reason: we expect everything to continue to work with it while we iron out the remaining issues, and private repos in general are one of those remaining issues.)

@daqingshu

This comment has been minimized.

daqingshu commented Dec 10, 2018

@daqingshu

example1: in some company, use private Gitlab env, just use http and ssh, no https

Why not HTTPS? If you have a domain name, you can either set up a private CA or use a free service (such as Let's Encrypt) to obtain a certificate.

(FWIW, on my home network I have a Let's Encrypt certificate for a machine that otherwise cannot cross my firewall. The configuration to make HTTP challenges work was not terribly difficult, even for an nginx novice like me.)

the big private gitlab is controlled by IT if no insecure, we have no choice but to use vendor continue

@bcmills

This comment has been minimized.

Member

bcmills commented Dec 10, 2018

the big private gitlab is controlled by IT

So why can't your IT department obtain and deploy an appropriate certificate for HTTPS?

@cvigo

This comment has been minimized.

cvigo commented Dec 10, 2018

They also have to want.

Enforcing TLS should always be a consumer choice. Some organizations don't see the benefits of having internal TLS but they would have to deal with the certificates pain

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment