cmd/go: mod download doesn't allow insecure download

[lizihuai]

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?

go version go1.11 linux/amd64

Does this issue reproduce with the latest release?

What operating system and processor architecture are you using (go env)?

What did you do?

GO111MODULE=on go mod download

If possible, provide a recipe for reproducing the error.

error:

go: k8s.io/client-go@v8.0.0+incompatible: unrecognized import path "k8s.io/client-go" (https fetch: Get https://k8s.io/client-go?go-get=1: x509: certificate signed by unknown authority)
go: k8s.io/api@v0.0.0-20180824172530-dd5c735cbff9: unrecognized import path "k8s.io/api" (https fetch: Get https://k8s.io/api?go-get=1: x509: certificate signed by unknown authority)

A complete runnable program is good.
A link on play.golang.org is best.

What did you expect to see?

What did you see instead?

[oiooj]

@lizihuai Could you run this command and log it.

echo | openssl s_client -showcerts -servername k8s.io -connect k8s.io:443 2>/dev/null | openssl x509 -inform pem -noout -text

It seems that you have no letsencrypt's CA.

[lizihuai]

@oiooj
I run the command is failure,error message
unable to load certificate
140308543207312:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE

Explain that I have no CA?

Why do I need a CA when I use go mod?

[lizihuai]

@oiooj but I use curl -kv https://k8s.io:443 is success

[fraenkel]

@lizihuai Drop the -k and the failure should occur.

[lizihuai]

@fraenkel Drop the -k is failure . how can I do ? Why can I access other https URLs? I can't access this.

[fraenkel]

Most OSes have added the LetsEncrypt CA as a trusted CA.
But you might be able to get away with a go get -insecure instead. I am not sure if go mod download is missing the -insecure flag.

[agnivade]

That is the exact issue - go mod download doesn't have an insecure flag.

go help mod download
usage: go mod download [-dir] [-json] [modules]

/cc @rsc @bcmills

[lizihuai]

@fraenkel
use go get insecure can download k8s.io.but the other problem can't download
https://gopkg.in/yaml.v2?go-get=1
@agnivade GO 1.11 can fix this problem ?
Why is there such a problem, what is the cause of this problem? thanks

[gcstang]

I have the same issue for a self-generated cert on my private repository when using
go mod tidy
go mod download
etc...