New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd/go: cannot get anything from a private repository, x509: certificate signed by unknown authority on OS X #29059

Closed
cvigo opened this Issue Dec 1, 2018 · 9 comments

Comments

Projects
None yet
5 participants
@cvigo
Copy link

cvigo commented Dec 1, 2018

What version of Go are you using (go version)?

$ go version
go version go1.11.2 darwin/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env
$ go env
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/carlosvigo/Library/Caches/go-build"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOOS="darwin"
GOPATH="/Users/carlosvigo/developer/go"
GOPROXY=""
GORACE=""
GOROOT="/usr/local/Cellar/go/1.11.2/libexec"
GOTMPDIR=""
GOTOOLDIR="/usr/local/Cellar/go/1.11.2/libexec/pkg/tool/darwin_amd64"
GCCGO="gccgo"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/Users/carlosvigo/developer/BBVA/connectors/titan_core/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/vz/gs0680fs2pzc3fj3s5sd1kqw0000gn/T/go-build971124811=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

go get -u scm.live.es.nextgen.igrupobbva/connectors/titan_core_protobuf

What did you expect to see?

The pkg installed

What did you see instead?

go: scm.live.es.nextgen.igrupobbva/connectors/titan_core_protobuf@v2.0.0+incompatible: unrecognized import path "scm.live.es.nextgen.igrupobbva/connectors/titan_core_protobuf" (https fetch: Get https://scm.live.es.nextgen.igrupobbva/connectors/titan_core_protobuf?go-get=1: x509: certificate signed by unknown authority) go: error loading module requirements

The server cert is signed by a private CA, but it is marked as trusted system-wide

More info:

  • curl output:
curl -v https://scm.live.es.nextgen.igrupobbva/connectors/titan_core_protobuf
curl -v https://scm.live.es.nextgen.igrupobbva/connectors/titan_core_protobuf                                                                                                                                                   [21:11:39]
*   Trying 10.51.2.11...
* TCP_NODELAY set
* Connected to scm.live.es.nextgen.igrupobbva (10.51.2.11) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=ES; O=BBVA; OU=IAAS AUTOMATION; CN=scm.live.es.nextgen.igrupobbva
*  start date: Oct 25 14:38:50 2018 GMT
*  expire date: Oct 24 14:38:50 2020 GMT
*  subjectAltName: host "scm.live.es.nextgen.igrupobbva" matched cert's "scm.live.es.nextgen.igrupobbva"
*  issuer: C=ES; O=BBVA; OU=Security Architecture Cryptography; CN=Global Issuing CA Infrastructure
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fda3d000400)
> GET /connectors/titan_core_protobuf HTTP/2
> Host: scm.live.es.nextgen.igrupobbva
> User-Agent: curl/7.54.0
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 302
< server: nginx
< date: Sat, 01 Dec 2018 20:00:35 GMT
< content-type: text/html; charset=utf-8
< content-length: 118
< location: https://scm.live.es.nextgen.igrupobbva/users/sign_in
< cache-control: no-cache
< set-cookie: _gitlab_session=b18aabbcfc2374c8358fa988a2865554; path=/; secure; HttpOnly
< x-content-type-options: nosniff
< x-frame-options: SAMEORIGIN
< x-request-id: 26e28ac9-c2cb-4044-81a5-516189f3b07a
< x-runtime: 0.048569
< x-xss-protection: 1; mode=block
< strict-transport-security: max-age=31536000
<
* Connection #0 to host scm.live.es.nextgen.igrupobbva left intact
You are being redirected.%


  • Keychain screenshot

screenshot 2018-12-01 at 21 19 29

  • Chrome certificate info screenshot

screenshot 2018-12-01 at 21 16 24

  • The URL can be reached only through VPN

  • Team mates using Linux don't have this issue.

  • go get -insecure works

@cvigo cvigo changed the title go get can't get anything from a private repository, x509: certificate signed by unknown authority MacOS `go get` can't get anything from a private repository, x509: certificate signed by unknown authority Dec 1, 2018

@odeke-em odeke-em changed the title MacOS `go get` can't get anything from a private repository, x509: certificate signed by unknown authority cmd/go: cannot get anything from a private repository, x509: certificate signed by unknown authority on OS X Dec 2, 2018

@odeke-em

This comment has been minimized.

Copy link
Member

odeke-em commented Dec 2, 2018

Thank you for filing this issue @cvigo!

Kindly paging @FiloSottile @bcmills

@cvigo

This comment has been minimized.

Copy link

cvigo commented Dec 3, 2018

Worth to mention that the key issue is not go get (I can work around with -insecure flag). The issue is go mod

@bcmills bcmills added this to the Go1.13 milestone Dec 3, 2018

@bcmills

This comment has been minimized.

Copy link
Member

bcmills commented Dec 3, 2018

@FiloSottile, any insight as to what we might be missing to make the go command pick up private CAs on macOS?

@adamdecaf

This comment has been minimized.

Copy link
Contributor

adamdecaf commented Dec 3, 2018

@cvigo Did you have to install this CA? I don't have it in my keychain on 10.14.1.

If so, the problem might be #24652 / #24652 (comment)

@cvigo

This comment has been minimized.

Copy link

cvigo commented Dec 3, 2018

@cvigo Did you have to install this CA? I don't have it in my keychain on 10.14.1.

sure, it is a private CA

@adamdecaf

This comment has been minimized.

Copy link
Contributor

adamdecaf commented Dec 3, 2018

Can you run the test linked in that comment to check if Go picks up the cert?

@cvigo

This comment has been minimized.

Copy link

cvigo commented Dec 3, 2018

Can you run the test linked in that comment to check if Go picks up the cert?

The test fails...

Suprisingly I have another Root CA for test environments that returns different results (Global Root CA vs. Global Root CA Work

Test Results
crypto/x509: verify-cert approved CN=Apple Worldwide Developer Relations Certification Authority,OU=Apple Worldwide Developer Relations,O=Apple Inc.,C=US
crypto/x509: verify-cert rejected CN=com.apple.systemdefault,O=System Identity: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=com.apple.kerberos.kdc,O=System Identity: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert approved CN=AutoFirma ROOT
crypto/x509: verify-cert approved CN=127.0.0.1
crypto/x509: verify-cert approved CN=BBVA Autoridad de Certificacion Digital,O=Banco Bilbao Vizcaya Argentaria
crypto/x509: verify-cert approved CN=BBVA CA Servidores,O=BBVA
crypto/x509: verify-cert approved CN=BBVA CA Raiz,O=BBVA
crypto/x509: verify-cert approved CN=BBVA Servidores Autoridad de Certificacion Digital,OU=Para Uso Interno BBVA,O=Banco Bilbao Vizcaya Argentaria
crypto/x509: verify-cert approved CN=Global Root CA,OU=Security Architecture Cryptography,O=BBVA,C=ES
crypto/x509: verify-cert approved CN=Global Root CA Work,OU=Security Architecture Cryptography,O=BBVA,C=ES
crypto/x509: verify-cert approved CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
crypto/x509: verify-cert approved CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US
crypto/x509: verify-cert approved CN=wifiaccess.grupobbva.com,OU=Comunicaciones,O=BBVA,L=Bilbao,C=ES
crypto/x509: verify-cert rejected CN=vpnaas_live.es.nextgen.igrupobbva,OU=Architecture Security,O=BBVA,L=Madrid,ST=Madrid,C=ES: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert approved CN=vpnaas_live.es.nextgen.igrupobbva,OU=Security Architecture,O=BBVA,L=Madrid,ST=Madrid,C=ES
crypto/x509: verify-cert approved CN=vpnaas.es.nextgen.igrupobbva,OU=Security Architecture,O=BBVA,L=Madrid,ST=Madrid,C=ES
crypto/x509: verify-cert approved CN=isepsncorpeditc2.igrupobbva,O=BBVA,L=Madrid,ST=Madrid,C=ES
crypto/x509: verify-cert approved CN=link.live.es.platform.bbva.com,OU=SECURITY,O=BBVA,L=MADRID,ST=MADRID,C=ES
crypto/x509: verify-cert rejected CN=armadillo.smlb.secaas-live-es.ext.es.iaas.igrupobbva,OU=Dyd,O=BBVA,L=Madrid,ST=Madrid,C=ES: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert approved CN=Developer ID Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US
crypto/x509: verify-cert approved CN=Apple Worldwide Developer Relations Certification Authority,OU=Apple Worldwide Developer Relations,O=Apple Inc.,C=US
crypto/x509: verify-cert approved CN=Developer Authentication Certification Authority,OU=Apple Worldwide Developer Relations,O=Apple Inc.,C=US
crypto/x509: verify-cert rejected CN=Adobe Content Certificate 10-6,OU=Cloud Technology,O=Adobe Systems,L=San Jose,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=Adobe Intermediate CA 10-4,OU=Cloud Technology,O=Adobe Systems,L=San Jose,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=Adobe Intermediate CA 10-3,OU=Cloud Technology,O=Adobe Systems,L=San Jose,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=Adobe Content Certificate 10-5,OU=Cloud Technology,O=Adobe Systems,L=San Jose,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=Xcode Server Builder (05/11/2018\, 09:57:44): "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert rejected SERIALNUMBER=IDCES-87654321K,CN=NAME REMOVED FOR PRIVACY - 87654321K,C=ES: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert rejected SERIALNUMBER=IDCES-12345678K,CN=NAME REMOVED FOR PRIVACY - 12345678K,C=ES: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert approved CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
crypto/x509: verify-cert approved CN=Ether R3 ES Issuing CA Work,OU=Security Architecture Cryptography,O=BBVA,C=ES
crypto/x509: verify-cert approved CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US
crypto/x509: verify-cert approved CN=wifiaccess.grupobbva.com,OU=Comunicaciones,O=BBVA,L=Bilbao,C=ES
crypto/x509: verify-cert rejected CN=vpnaas_live.es.nextgen.igrupobbva,OU=Architecture Security,O=BBVA,L=Madrid,ST=Madrid,C=ES: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert approved CN=vpnaas_live.es.nextgen.igrupobbva,OU=Security Architecture,O=BBVA,L=Madrid,ST=Madrid,C=ES
crypto/x509: verify-cert approved CN=vpnaas.es.nextgen.igrupobbva,OU=Security Architecture,O=BBVA,L=Madrid,ST=Madrid,C=ES
crypto/x509: verify-cert approved CN=isepsncorpeditc2.igrupobbva,O=BBVA,L=Madrid,ST=Madrid,C=ES
crypto/x509: verify-cert approved CN=link.live.es.platform.bbva.com,OU=SECURITY,O=BBVA,L=MADRID,ST=MADRID,C=ES
crypto/x509: verify-cert approved CN=Apple Worldwide Developer Relations Certification Authority,OU=Apple Worldwide Developer Relations,O=Apple Inc.,C=US
crypto/x509: verify-cert rejected CN=armadillo.smlb.secaas-live-es.ext.es.iaas.igrupobbva,OU=Dyd,O=BBVA,L=Madrid,ST=Madrid,C=ES: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert approved CN=Developer ID Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US
crypto/x509: verify-cert approved CN=Developer Authentication Certification Authority,OU=Apple Worldwide Developer Relations,O=Apple Inc.,C=US
crypto/x509: verify-cert rejected CN=Adobe Content Certificate 10-6,OU=Cloud Technology,O=Adobe Systems,L=San Jose,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=Adobe Intermediate CA 10-4,OU=Cloud Technology,O=Adobe Systems,L=San Jose,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=Adobe Content Certificate 10-5,OU=Cloud Technology,O=Adobe Systems,L=San Jose,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=Adobe Intermediate CA 10-3,OU=Cloud Technology,O=Adobe Systems,L=San Jose,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=Xcode Server Builder (05/11/2018\, 09:57:44): "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert rejected SERIALNUMBER=IDCES-87654321K,CN=NAME REMOVED FOR PRIVACY - 87654321K,C=ES: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert rejected SERIALNUMBER=IDCES-12345678K,CN=NAME REMOVED FOR PRIVACY - 12345678K,C=ES: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert approved CN=Ether R3 ES Issuing CA Work,OU=Security Architecture Cryptography,O=BBVA,C=ES
crypto/x509: ran security verify-cert 51 times
    cgo sys roots: 366.462356ms
non-cgo sys roots: 671.314532ms
signed certificate only present in non-cgo pool (acceptable): CN=Apple Worldwide Developer Relations Certification Authority,OU=Apple Worldwide Developer Relations,O=Apple Inc.,C=US
signed certificate only present in non-cgo pool (acceptable): CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US
signed certificate only present in non-cgo pool (acceptable): CN=wifiaccess.grupobbva.com,OU=Comunicaciones,O=BBVA,L=Bilbao,C=ES
signed certificate only present in non-cgo pool (acceptable): CN=vpnaas_live.es.nextgen.igrupobbva,OU=Security Architecture,O=BBVA,L=Madrid,ST=Madrid,C=ES
signed certificate only present in non-cgo pool (acceptable): CN=isepsncorpeditc2.igrupobbva,O=BBVA,L=Madrid,ST=Madrid,C=ES
signed certificate only present in non-cgo pool (acceptable): CN=Developer ID Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US
signed certificate only present in non-cgo pool (acceptable): CN=Developer Authentication Certification Authority,OU=Apple Worldwide Developer Relations,O=Apple Inc.,C=US
signed certificate only present in non-cgo pool (acceptable): CN=Ether R3 ES Issuing CA Work,OU=Security Architecture Cryptography,O=BBVA,C=ES
certificate only present in cgo pool: SERIALNUMBER=IDCES-87654321K,CN=NAME REMOVED FOR PRIVACY - 87654321K,C=ES
certificate only present in cgo pool: CN=Xcode Server Builder (05/11/2018\, 09:57:44)
certificate only present in cgo pool: CN=armadillo.smlb.secaas-live-es.ext.es.iaas.igrupobbva,OU=Dyd,O=BBVA,L=Madrid,ST=Madrid,C=ES
certificate only present in cgo pool: SERIALNUMBER=IDCES-12345678K,CN=NAME REMOVED FOR PRIVACY - 12345678K,C=ES
Number of trusted certs = 11
Cert 0: wifiaccess.grupobbva.com
   Number of trust settings : 2
   Trust Setting 0:
      Policy OID            : EAP
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 1:
      Policy OID            : Apple X509 Basic
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
Cert 1: vpnaas.es.nextgen.igrupobbva
   Number of trust settings : 10
   Trust Setting 0:
      Policy OID            : SSL
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 1:
      Policy OID            : SSL
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 2:
      Policy OID            : SMIME
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 3:
      Policy OID            : SMIME
      Allowed Error         : S/MIME Email address mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 4:
      Policy OID            : EAP
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 5:
      Policy OID            : IPSec
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 6:
      Policy OID            : Code Signing
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 7:
      Policy OID            : Unknown OID length 9, value { 2A 86 48 86 F7 63 64 01 14  }
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 8:
      Policy OID            : Apple X509 Basic
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 9:
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
Cert 2: isepsncorpeditc2.igrupobbva
   Number of trust settings : 2
   Trust Setting 0:
      Policy OID            : EAP
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 1:
      Policy OID            : Apple X509 Basic
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
Cert 3: link.live.es.platform.bbva.com
   Number of trust settings : 3
   Trust Setting 0:
      Policy OID            : SSL
      Policy String         : 185.24.6.15
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 1:
      Policy OID            : SSL
      Policy String         : 185.24.6.15
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 2:
      Policy OID            : Apple X509 Basic
      Policy String         : 185.24.6.15
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
Cert 4: armadillo.smlb.secaas-live-es.ext.es.iaas.igrupobbva
   Number of trust settings : 2
   Trust Setting 0:
      Policy OID            : SSL
      Policy String         : atenea.live.global.ether.igrupobbva
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 1:
      Policy OID            : SSL
      Policy String         : atenea.live.global.ether.igrupobbva
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
Cert 5: Xcode Server Builder (05/11/2018, 09:57:44)
   Number of trust settings : 9
   Trust Setting 0:
      Policy OID            : SSL
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 1:
      Policy OID            : SSL
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 2:
      Policy OID            : SMIME
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 3:
      Policy OID            : SMIME
      Allowed Error         : S/MIME Email address mismatch
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 4:
      Policy OID            : EAP
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 5:
      Policy OID            : IPSec
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 6:
      Policy OID            : Code Signing
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 7:
      Policy OID            : Unknown OID length 9, value { 2A 86 48 86 F7 63 64 01 14  }
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 8:
      Policy OID            : Apple X509 Basic
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
Cert 6: NAME REMOVED FOR PRIVACY - 87654321K
   Number of trust settings : 9
   Trust Setting 0:
      Policy OID            : SSL
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 1:
      Policy OID            : SSL
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 2:
      Policy OID            : SMIME
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 3:
      Policy OID            : SMIME
      Allowed Error         : S/MIME Email address mismatch
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 4:
      Policy OID            : EAP
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 5:
      Policy OID            : IPSec
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 6:
      Policy OID            : Code Signing
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 7:
      Policy OID            : Unknown OID length 9, value { 2A 86 48 86 F7 63 64 01 14  }
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 8:
      Policy OID            : Apple X509 Basic
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
Cert 7: NAME REMOVED FOR PRIVACY - 12345678K
   Number of trust settings : 9
   Trust Setting 0:
      Policy OID            : SSL
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 1:
      Policy OID            : SSL
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 2:
      Policy OID            : SMIME
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 3:
      Policy OID            : SMIME
      Allowed Error         : S/MIME Email address mismatch
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 4:
      Policy OID            : EAP
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 5:
      Policy OID            : IPSec
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 6:
      Policy OID            : Code Signing
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 7:
      Policy OID            : Unknown OID length 9, value { 2A 86 48 86 F7 63 64 01 14  }
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 8:
      Policy OID            : Apple X509 Basic
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
Cert 8: BBVA Autoridad de Certificacion Digital
   Number of trust settings : 10
   Trust Setting 0:
      Policy OID            : SSL
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 1:
      Policy OID            : SSL
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 2:
      Policy OID            : SMIME
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 3:
      Policy OID            : SMIME
      Allowed Error         : S/MIME Email address mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 4:
      Policy OID            : EAP
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 5:
      Policy OID            : IPSec
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 6:
      Policy OID            : Code Signing
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 7:
      Policy OID            : Unknown OID length 9, value { 2A 86 48 86 F7 63 64 01 14  }
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 8:
      Policy OID            : Apple X509 Basic
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 9:
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
Cert 9: BBVA CA Raiz
   Number of trust settings : 10
   Trust Setting 0:
      Policy OID            : SSL
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 1:
      Policy OID            : SSL
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 2:
      Policy OID            : SMIME
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 3:
      Policy OID            : SMIME
      Allowed Error         : S/MIME Email address mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 4:
      Policy OID            : EAP
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 5:
      Policy OID            : IPSec
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 6:
      Policy OID            : Code Signing
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 7:
      Policy OID            : Unknown OID length 9, value { 2A 86 48 86 F7 63 64 01 14  }
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 8:
      Policy OID            : Apple X509 Basic
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 9:
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
Cert 10: Global Root CA Work
   Number of trust settings : 10
   Trust Setting 0:
      Policy OID            : SSL
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 1:
      Policy OID            : SSL
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 2:
      Policy OID            : SMIME
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 3:
      Policy OID            : SMIME
      Allowed Error         : S/MIME Email address mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 4:
      Policy OID            : EAP
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 5:
      Policy OID            : IPSec
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 6:
      Policy OID            : Code Signing
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 7:
      Policy OID            : Unknown OID length 9, value { 2A 86 48 86 F7 63 64 01 14  }
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 8:
      Policy OID            : Apple X509 Basic
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 9:
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
Number of trusted certs = 5
Cert 0: AutoFirma ROOT
   Number of trust settings : 10
   Trust Setting 0:
      Policy OID            : SSL
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 1:
      Policy OID            : SSL
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 2:
      Policy OID            : SMIME
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 3:
      Policy OID            : SMIME
      Allowed Error         : S/MIME Email address mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 4:
      Policy OID            : EAP
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 5:
      Policy OID            : IPSec
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 6:
      Policy OID            : Code Signing
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 7:
      Policy OID            : Unknown OID length 9, value { 2A 86 48 86 F7 63 64 01 14  }
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 8:
      Policy OID            : Apple X509 Basic
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 9:
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
Cert 1: 127.0.0.1
   Number of trust settings : 9
   Trust Setting 0:
      Policy OID            : SSL
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 1:
      Policy OID            : SSL
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 2:
      Policy OID            : SMIME
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 3:
      Policy OID            : SMIME
      Allowed Error         : S/MIME Email address mismatch
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 4:
      Policy OID            : EAP
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 5:
      Policy OID            : IPSec
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 6:
      Policy OID            : Code Signing
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 7:
      Policy OID            : Unknown OID length 9, value { 2A 86 48 86 F7 63 64 01 14  }
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 8:
      Policy OID            : Apple X509 Basic
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
Cert 2: BBVA CA Servidores
   Number of trust settings : 10
   Trust Setting 0:
      Policy OID            : SSL
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 1:
      Policy OID            : SSL
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 2:
      Policy OID            : SMIME
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 3:
      Policy OID            : SMIME
      Allowed Error         : S/MIME Email address mismatch
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 4:
      Policy OID            : EAP
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 5:
      Policy OID            : IPSec
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 6:
      Policy OID            : Code Signing
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 7:
      Policy OID            : Unknown OID length 9, value { 2A 86 48 86 F7 63 64 01 14  }
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 8:
      Policy OID            : Apple X509 Basic
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 9:
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
Cert 3: BBVA Servidores Autoridad de Certificacion Digital
   Number of trust settings : 10
   Trust Setting 0:
      Policy OID            : SSL
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 1:
      Policy OID            : SSL
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 2:
      Policy OID            : SMIME
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 3:
      Policy OID            : SMIME
      Allowed Error         : S/MIME Email address mismatch
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 4:
      Policy OID            : EAP
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 5:
      Policy OID            : IPSec
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 6:
      Policy OID            : Code Signing
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 7:
      Policy OID            : Unknown OID length 9, value { 2A 86 48 86 F7 63 64 01 14  }
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 8:
      Policy OID            : Apple X509 Basic
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 9:
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
Cert 4: Global Root CA
   Number of trust settings : 0

!!! The test failed!

Please report the whole output at #24652 wrapping it in a code block
Thank you!
crypto/x509: kSecTrustSettingsResultInvalid = 0
crypto/x509: kSecTrustSettingsResultTrustRoot = 1
crypto/x509: kSecTrustSettingsResultTrustAsRoot = 2
crypto/x509: kSecTrustSettingsResultDeny = 3
crypto/x509: kSecTrustSettingsResultUnspecified = 4
crypto/x509: AutoFirma ROOT returned 1
crypto/x509: 127.0.0.1 returned 2
crypto/x509: BBVA CA Servidores returned 2
crypto/x509: BBVA Servidores Autoridad de Certificacion Digital returned 2
crypto/x509: Global Root CA returned 1
crypto/x509: wifiaccess.grupobbva.com returned 4
crypto/x509: vpnaas.es.nextgen.igrupobbva returned 1
crypto/x509: isepsncorpeditc2.igrupobbva returned 4
crypto/x509: link.live.es.platform.bbva.com returned 2
crypto/x509: armadillo.smlb.secaas-live-es.ext.es.iaas.igrupobbva returned 1
crypto/x509: Xcode Server Builder (05/11/2018, 09:57:44) returned 2
crypto/x509: NAME REMOVED FOR PRIVACY - 87654321K returned 2
crypto/x509: NAME REMOVED FOR PRIVACY - 12345678K returned 2
crypto/x509: BBVA Autoridad de Certificacion Digital returned 1
crypto/x509: BBVA CA Raiz returned 1
crypto/x509: Global Root CA Work returned 1

@FiloSottile

This comment has been minimized.

Copy link
Member

FiloSottile commented Dec 3, 2018

This is definitely #24652, and judging from your output it will get fixed by the outstanding CLs, because "Global Root CA" is not one of the failing roots anymore. Closing as dup, but I might ping you from the other issue to make sure the final code passes for you.

@FiloSottile FiloSottile closed this Dec 3, 2018

@cvigo

This comment has been minimized.

Copy link

cvigo commented Dec 14, 2018

Same error with go 1.11.3 😠

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment