New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: Go does not load root CA from System keychain on macOS #28025

Closed
adamrothman opened this Issue Oct 4, 2018 · 5 comments

Comments

Projects
None yet
5 participants
@adamrothman

adamrothman commented Oct 4, 2018

Disclaimer: I'm new to Go, so please excuse my general lack of knowledge.

The issue I'm experiencing seems to be related to and/or the same as #14514. It may be related to #24652 and/or #27958, but I'm not sure.

My company uses an internal root CA that is installed into the System keychain on my work Mac. All the browsers on my system trust this root correctly, and I have no trouble connecting to internal sites with certificates signed by this root.

I'm working on a Go program that needs to connect to an API that's served with a certificate signed by this internal root CA. I'm not doing anything fancy to configure my HTTP client:

client := &http.Client{Timeout: time.Second * 10}

When I try to make a request to the API, I get the following error: x509: certificate signed by unknown authority.

All the issues I could find that seem to be similar to what I'm experiencing are closed, but the issue is clearly still present. I did find some links to the go-rootcerts package, which does solve the problem when I configure my client like this:

tlsConfig := &tls.Config{}
rootcerts.ConfigureTLS(tlsConfig, &rootcerts.Config{})
transport := &http.Transport{TLSClientConfig: tlsConfig}
client := &http.Client{Timeout: time.Second * 10, Transport: transport}

Obviously, having to include this just so I can develop locally is not ideal.

I have tried opening the certificate in Keychain Access and toggling the trust settings as suggested in this comment, but that didn't change anything.

What version of Go are you using (go version)?

go version go1.11.1 darwin/amd64

Does this issue reproduce with the latest release?

Yes.

What operating system and processor architecture are you using (go env)?

macOS 10.13.6

$ go env
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/arothman/Library/Caches/go-build"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOOS="darwin"
GOPATH="/Users/arothman/go"
GOPROXY=""
GORACE=""
GOROOT="/usr/local/Cellar/go/1.11.1/libexec"
GOTMPDIR=""
GOTOOLDIR="/usr/local/Cellar/go/1.11.1/libexec/pkg/tool/darwin_amd64"
GCCGO="gccgo"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/qv/sgn2l7z54zl46vgwrg7qbsp80000gp/T/go-build126370609=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

Sorry for the lack of runnable program, but I don't think it would be helpful as the issue is somewhat specific to my system/environment.

  • Create a basic net/http client.
  • Attempt a request to an API secured by a certificate signed by a root CA in the machine's System keychain.
  • 😭

What did you expect to see?

Successful request/response.

What did you see instead?

x509: certificate signed by unknown authority

@adamdecaf

This comment has been minimized.

Show comment
Hide comment
@adamdecaf

adamdecaf Oct 4, 2018

Contributor

Could you run and paste the output (I expect the command to fail and print) from the command here? #24652 (comment)

Contributor

adamdecaf commented Oct 4, 2018

Could you run and paste the output (I expect the command to fail and print) from the command here? #24652 (comment)

@adamrothman

This comment has been minimized.

Show comment
Hide comment
@adamrothman

adamrothman Oct 4, 2018

Certainly. Note that Secops Internal Root CA is the certificate in question here.

crypto/x509: kSecTrustSettingsResultInvalid = 0
crypto/x509: kSecTrustSettingsResultTrustRoot = 1
crypto/x509: kSecTrustSettingsResultTrustAsRoot = 2
crypto/x509: kSecTrustSettingsResultDeny = 3
crypto/x509: kSecTrustSettingsResultUnspecified = 4
crypto/x509: Secops Internal Root CA returned 1
crypto/x509: verify-cert rejected CN=com.apple.systemdefault,O=System Identity: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=com.apple.kerberos.kdc,O=System Identity: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=638948197133458968,O=Meraki Inc.,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert approved CN=radius.meraki.com,OU=Domain Control Validated+OU=EssentialSSL
crypto/x509: verify-cert rejected CN=SCEP WiFi Certificate for 638948197133458968,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=SCEP WiFi Certificate for 638948197133458968,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=SCEP WiFi Certificate for 638948197133458968,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=SCEP WiFi Certificate for 638948197133458968,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=SCEP WiFi Certificate for 638948197133458968,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=SCEP WiFi Certificate for 638948197133458968,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=SCEP WiFi Certificate for 638948197133458968,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=SCEP WiFi Certificate for 638948197133458968,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=SCEP WiFi Certificate for 638948197133458968,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert approved CN=Secops Internal Root CA
crypto/x509: verify-cert rejected CN=SCEP WiFi Certificate for 638948197133458968,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: ran security verify-cert 15 times
    cgo sys roots: 110.760832ms
non-cgo sys roots: 175.697789ms
certificate only present in non-cgo pool: CN=radius.meraki.com,OU=Domain Control Validated+OU=EssentialSSL (verify error: x509: certificate signed by unknown authority)
signed certificate only present in non-cgo pool (acceptable): CN=Developer ID Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US
SecTrustSettingsCopyCertificates: No Trust Settings were found.
Number of trusted certs = 1
Cert 0: Secops Internal Root CA
   Number of trust settings : 0


!!! The test failed!

adamrothman commented Oct 4, 2018

Certainly. Note that Secops Internal Root CA is the certificate in question here.

crypto/x509: kSecTrustSettingsResultInvalid = 0
crypto/x509: kSecTrustSettingsResultTrustRoot = 1
crypto/x509: kSecTrustSettingsResultTrustAsRoot = 2
crypto/x509: kSecTrustSettingsResultDeny = 3
crypto/x509: kSecTrustSettingsResultUnspecified = 4
crypto/x509: Secops Internal Root CA returned 1
crypto/x509: verify-cert rejected CN=com.apple.systemdefault,O=System Identity: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=com.apple.kerberos.kdc,O=System Identity: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=638948197133458968,O=Meraki Inc.,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert approved CN=radius.meraki.com,OU=Domain Control Validated+OU=EssentialSSL
crypto/x509: verify-cert rejected CN=SCEP WiFi Certificate for 638948197133458968,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=SCEP WiFi Certificate for 638948197133458968,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=SCEP WiFi Certificate for 638948197133458968,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=SCEP WiFi Certificate for 638948197133458968,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=SCEP WiFi Certificate for 638948197133458968,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=SCEP WiFi Certificate for 638948197133458968,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=SCEP WiFi Certificate for 638948197133458968,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=SCEP WiFi Certificate for 638948197133458968,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=SCEP WiFi Certificate for 638948197133458968,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert approved CN=Secops Internal Root CA
crypto/x509: verify-cert rejected CN=SCEP WiFi Certificate for 638948197133458968,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: ran security verify-cert 15 times
    cgo sys roots: 110.760832ms
non-cgo sys roots: 175.697789ms
certificate only present in non-cgo pool: CN=radius.meraki.com,OU=Domain Control Validated+OU=EssentialSSL (verify error: x509: certificate signed by unknown authority)
signed certificate only present in non-cgo pool (acceptable): CN=Developer ID Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US
SecTrustSettingsCopyCertificates: No Trust Settings were found.
Number of trusted certs = 1
Cert 0: Secops Internal Root CA
   Number of trust settings : 0


!!! The test failed!
@dmitshur

This comment has been minimized.

Show comment
Hide comment
@dmitshur
Member

dmitshur commented Oct 6, 2018

@mfriedenhagen

This comment has been minimized.

Show comment
Hide comment
@mfriedenhagen

mfriedenhagen Oct 18, 2018

Hi, maybe related to both this issue and #27958. I try to access an internal server which uses a certificate signed with an intermediate cert. I completely trust the internal root CA and browsers and curl are fine with this. The server in question ships the intermediate together with it‘s own cert. Now http.Client chokes with above error and I have to add the intermediate to the System.keychain and additionally set trust for ssl connections on the intermediate certificate.

mfriedenhagen commented Oct 18, 2018

Hi, maybe related to both this issue and #27958. I try to access an internal server which uses a certificate signed with an intermediate cert. I completely trust the internal root CA and browsers and curl are fine with this. The server in question ships the intermediate together with it‘s own cert. Now http.Client chokes with above error and I have to add the intermediate to the System.keychain and additionally set trust for ssl connections on the intermediate certificate.

@FiloSottile

This comment has been minimized.

Show comment
Hide comment
@FiloSottile

FiloSottile Oct 19, 2018

Member

Duplicate of #24652, thanks for running the test binary. The outstanding patches will fix it.

Member

FiloSottile commented Oct 19, 2018

Duplicate of #24652, thanks for running the test binary. The outstanding patches will fix it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment