Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: add /usr/local/etc/ssl/certs for CA certificates on Linux #28199

Closed
afbjorklund opened this issue Oct 14, 2018 · 14 comments
Closed

crypto/x509: add /usr/local/etc/ssl/certs for CA certificates on Linux #28199

afbjorklund opened this issue Oct 14, 2018 · 14 comments

Comments

@afbjorklund
Copy link

@afbjorklund afbjorklund commented Oct 14, 2018

What version of Go are you using (go version)?

go version go1.10.4 linux/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

linux-amd64

What did you do?

go get golang.org/x/tools/cmd/godoc

What did you expect to see?

(nothing)

What did you see instead?

package golang.org/x/tools/cmd/godoc: unrecognized import path "golang.org/x/tools/cmd/godoc" (https fetch: Get https://golang.org/x/tools/cmd/godoc?go-get=1: x509: failed to load system roots and no roots provided)


Reason

Under TinyCore, the files are installed under /usr/local/etc/ssl/certs rather than /etc/ssl/certs.
It would be nice if both locations would be accepted (it is allowed, under the File Hierarchy Standard) ?

@minaevmike
Copy link
Contributor

@minaevmike minaevmike commented Oct 15, 2018

hm, i am not sure that it's a good idea to add this, because even it's could be tested well. For your case you can set env variables

certFileEnv = "SSL_CERT_FILE"

@afbjorklund
Copy link
Author

@afbjorklund afbjorklund commented Oct 15, 2018

Added the symlink for now, but maybe those files can be added in e.g. profile ?

Just seemed like it had a long list of other special cases hard-coded into it already ?

@agnivade
Copy link
Contributor

@agnivade agnivade commented Oct 15, 2018

@FiloSottile FiloSottile changed the title Add /usr/local/etc/ssl/certs for CA certificates on Linux crypto/x509: add /usr/local/etc/ssl/certs for CA certificates on Linux Oct 15, 2018
@FiloSottile FiloSottile added this to the Unplanned milestone Oct 15, 2018
@FiloSottile
Copy link
Member

@FiloSottile FiloSottile commented Oct 15, 2018

We already have a laundry list of possible locations, and by the nature of Linux distributions, that list could grow forever, which is not a manageable outcome. That's why SSL_CERT_FILE is supported, and I recommend distributions set it in the system profile. Other software supports it as well, so it's not just a Go accommodation.

@afbjorklund
Copy link
Author

@afbjorklund afbjorklund commented Oct 15, 2018

Confirm that the workaround works fine, was also unnecessary to change certDirectories...

export SSL_CERT_FILE=/usr/local/etc/ssl/certs/ca-certificates.crt

I suppose I could always patch it downstream, if it is hard to get it into /etc/profile.d/go.sh ?

If interested, here are the complete build instructions for TCL: building_go.md

@gopherbot
Copy link

@gopherbot gopherbot commented Oct 15, 2018

Change https://golang.org/cl/141821 mentions this issue: crypto/x509: add path for TinyCore ca-certificates

@FiloSottile
Copy link
Member

@FiloSottile FiloSottile commented Oct 15, 2018

I recommend using SSL_CERT_FILE if possible, as we are committed to supporting that, while the patch might stop applying.

@afbjorklund
Copy link
Author

@afbjorklund afbjorklund commented Oct 21, 2018

It's not so easy to use SSL_CERT_FILE, since for instance when using sudo it is gone again...
Adding it to /etc/profile.d only helped for subshells, but not when invoking go commands.

So it would have been easier, if the "crypto/x509" go module had just worked out-of-the-box ?
For instance git and curl are able to use https, since libcurl is able to find /usr/local/etc/ssl/certs:

./configure --prefix=/usr/local --disable-static --enable-threaded-resolver --with-ca-bundle=/usr/local/etc/ssl/certs/ca-certificates.crt

So it seems like patching Go to look in this standard location, will be the easiest way to support it.

diff --git a/src/crypto/x509/root_linux.go b/src/crypto/x509/root_linux.go
index aa1785e..755af89 100644
--- a/src/crypto/x509/root_linux.go
+++ b/src/crypto/x509/root_linux.go
@@ -11,4 +11,5 @@
 	"/etc/ssl/ca-bundle.pem",                            // OpenSUSE
 	"/etc/pki/tls/cacert.pem",                           // OpenELEC
 	"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", // CentOS/RHEL 7
+	"/usr/local/etc/ssl/certs/ca-certificates.crt",      // TinyCore
 }
@adamdecaf
Copy link
Contributor

@adamdecaf adamdecaf commented Oct 22, 2018

Go needs to be able to read the file. If permissions/ownership are a problem Go can't help.

@afbjorklund
Copy link
Author

@afbjorklund afbjorklund commented Oct 22, 2018

@adamdecaf : the file is there (readable) alright, it was the environment variable that went missing...

i.e. one needs to either use sudo -E or "sudo SSL_CERT_FILE=$SSL_CERT_FILE" for everything

@adamdecaf
Copy link
Contributor

@adamdecaf adamdecaf commented Oct 24, 2018

@afbjorklund Oh, I see in your link that TinyCore installs Go 1.4? If so that version isn't supported anymore.

https://github.com/boot2podman/boot2podman/blob/master/building_go.md#bootstrap

@afbjorklund
Copy link
Author

@afbjorklund afbjorklund commented Oct 25, 2018

@adamdecaf : I used go version 1.10.4. In order to build that, I used go-bootstrap version 1.4-20171003

See https://golang.org/doc/install/source

@afbjorklund
Copy link
Author

@afbjorklund afbjorklund commented Oct 25, 2018

I updated the patch, since it seems that you need both file and dir to be defined (for some uses) ?

    SSL_CERT_FILE=/usr/local/etc/ssl/certs/ca-certificates.crt
    SSL_CERT_DIR=/usr/local/share/ca-certificates

Or maybe I will just leave it here in this closed ticket, in case someone else stumbles into this later...

@golang golang locked and limited conversation to collaborators Oct 25, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
6 participants
You can’t perform that action at this time.