Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: root_cgo_darwin omits intermediate CAs with an empty policy settings or an unspecified trust type setting #30672

Open
penglei opened this Issue Mar 8, 2019 · 3 comments

Comments

Projects
None yet
3 participants
@penglei
Copy link

penglei commented Mar 8, 2019

What version of Go are you using (go version)?

$ go version
go version go1.12 darwin/amd64

Does this issue reproduce with the latest release?

yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/penglei/Library/Caches/go-build"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOOS="darwin"
GOPATH="/Users/penglei/go"
GOPROXY=""
GORACE=""
GOROOT="/usr/local/Cellar/go/1.12/libexec"
GOTMPDIR=""
GOTOOLDIR="/usr/local/Cellar/go/1.12/libexec/pkg/tool/darwin_amd64"
GCCGO="gccgo"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/n1/b06cdpcn6y58vz_184h4rlbc0000gn/T/go-build500360568=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

  1. generate certs

    Use this script to generate a server certificate signed by an intermediate certificate

    https://gist.github.com/penglei/91530ced7174d4d96ecbe8a5f8420749

    this script will generate root.pem, root-key.pem, intermediate.pem, intermediate-key.pem, server.pem, server-key.pem.
    certs in following step can be found here.

  2. add ca cert to system by /usr/bin/security

    sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain   root.pem
    sudo security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain  intermediate.pem
    

    NOTE: bug is produced when adding intermediate.pem by calling security add-trusted-cert with no any -p policy options.

  3. config a HTTPS server

    Copy server.pem and server-key.pem to nginx config directory

    add the following content to nginx.conf:

    server {
    	listen       443 ssl;
    	server_name  localhost;
    
    	ssl_certificate server.pem;
    	ssl_certificate_key server-key.pem;
    
    	location / {
    		root   html;
    		index  index.html index.htm;
    	}
    }
  4. run the following go program

    func main() {
    	_, err := http.DefaultClient.Get("https://127.0.0.1/")
    	if err != nil {
    		panic(err)
    	} else {
    		fmt.Println("OK")
    	}
    }

    please ensure CGO_ENABLED=1 (this is default)

What did you expect to see?

OK

What did you see instead?

panic: Get https://127.0.0.1/: x509: certificate signed by unknown authority
@gopherbot

This comment has been minimized.

Copy link

gopherbot commented Mar 8, 2019

Change https://golang.org/cl/166219 mentions this issue: fix root_cgo_darwin omits some trusty intermediate ca certificate

@FiloSottile FiloSottile changed the title root_cgo_darwin omits intermediate ca certificate with an empty policy settings or an *unspecified* trust type settings crypto/x509: root_cgo_darwin omits intermediate CAs with an empty policy settings or an unspecified trust type setting Mar 8, 2019

@FiloSottile

This comment has been minimized.

Copy link
Member

FiloSottile commented Mar 8, 2019

Probably a duplicate of #30471.

@FiloSottile FiloSottile added the NeedsFix label Mar 8, 2019

@FiloSottile FiloSottile added this to the Go1.13 milestone Mar 8, 2019

@FiloSottile FiloSottile self-assigned this Mar 8, 2019

@penglei

This comment has been minimized.

Copy link
Author

penglei commented Mar 11, 2019

Probably a duplicate of #30471.

Yes, it is. I reproduced the problem of #30471. After applying the patch and recompiling go binary, it's fixed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.