Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: 'certificate signed by unknown authority' on mipsle #32878

Closed
vitaliy-kuzmich opened this issue Jul 1, 2019 · 10 comments
Closed

crypto/x509: 'certificate signed by unknown authority' on mipsle #32878

vitaliy-kuzmich opened this issue Jul 1, 2019 · 10 comments

Comments

@vitaliy-kuzmich
Copy link

@vitaliy-kuzmich vitaliy-kuzmich commented Jul 1, 2019

Hello @FiloSottile, tested on mipsle, does not work. It says "509: certificate signed by unknown authority". Build command that I used :
env CGO_ENABLED=0 GOOS=linux GOARCH=mipsle gotip build -a -o test


$ go version go1.12.6 linux/amd64
$ gotip version
go version devel +bc593ea Mon Jul 1 14:45:49 2019 +0000 linux/amd64
go env
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/v/.cache/go-build"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/v/go"
GOPROXY=""
GORACE=""
GOROOT="/usr/lib/go"
GOTMPDIR=""
GOTOOLDIR="/usr/lib/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build944548850=/tmp/go-build -gno-record-gcc-switches"

You can use our new golang.org/dl/gotip tool to easily test the development branch:

go get golang.org/dl/gotip
gotip download
GODEBUG=x509roots=1 gotip test -v -run TestSystemRoots crypto/x509

You can also use gotip build or gotip get in place of go build/go get to test if the patches resolve any issues you were experiencing. Please report back! Thank you.

/cc @cvigo @dichque @wdec @adamrothman @calmh @dadrian @vdemario

Originally posted by @FiloSottile in #24652 (comment)

@bcmills
Copy link
Member

@bcmills bcmills commented Jul 1, 2019

@vitaliy-kuzmich, note that the issue to which you are replying was specific to Darwin (a.k.a. macOS).

I'm guessing that 509: certificate signed by unknown authority will probably not be enough information to diagnose the issue. Are you able to share more detail about the certificate that failed the test?

@bcmills bcmills added this to the Go1.14 milestone Jul 1, 2019
@bcmills bcmills changed the title This issue should now be fixed in master, but more testing would be appreciated before we backport it, in particular by anyone who had the self-contained test fail. crypto/x509: 'certificate signed by unknown authority' on mipsle Jul 1, 2019
@bcmills
Copy link
Member

@bcmills bcmills commented Jul 1, 2019

@vitaliy-kuzmich, @FiloSottile was asking for folks to run the test, but gotip build -a -o test will instead build the non-test sources for the package. Can you provide the complete list of commands that you ran?

@vitaliy-kuzmich
Copy link
Author

@vitaliy-kuzmich vitaliy-kuzmich commented Jul 1, 2019

@bcmills Thank you for quick response, indeed it is not darwin, but I have exactly same on mipsle on my router. I am trying to run cross compiled binary on embedded device. Here it is source code that I used for test :

package main

import (
	"fmt"
	"io/ioutil"
	"log"
	"net/http"
	"net/http/cookiejar"
)

func main() {
	jar, _ := cookiejar.New(nil)

	client := http.Client{Jar: jar}
	res, err := client.Get("https://google.com")
	check(err)
	rs, err := ioutil.ReadAll(res.Body)
	fmt.Println(string(rs))
}
func check(err error) {
	if err != nil {
		log.Fatal(err)
	}
}

I am not sure, but /etc/ssl/certs empty on embedded device, should there be some certs ? Or built binary should create it ?
upd: Did copy certs from host to the embedded device, still have this issue, have no idea what goes wrong.

@bcmills
Copy link
Member

@bcmills bcmills commented Jul 1, 2019

@vitaliy-kuzmich, you can use go test -c to compile a test binary without running it.

I don't know how you would need to configure the root certs on a router so that a Go binary can find them.

@vitaliy-kuzmich
Copy link
Author

@vitaliy-kuzmich vitaliy-kuzmich commented Jul 1, 2019

Apologies, my fault, there is nothing wrong with go, works like a charm. I use openwrt system, for some reasons certificate package were missed. It so cool that same code works on different devices!

@vitaliy-kuzmich
Copy link
Author

@vitaliy-kuzmich vitaliy-kuzmich commented Oct 9, 2019

@bcmills Just thinking maybe make message more clear ? Like "none certificates was found at default paths" or something, because it really confuses if say if it signed by unknown authority,but the file just does not exists.

@bcmills
Copy link
Member

@bcmills bcmills commented Oct 9, 2019

@vitaliy-kuzmich, clearer error messages are always nice to have.

If you could post specific steps that we can run to reproduce the issue (preferably as a new issue on GitHub), I'd be happy to leave it open as help wanted for anyone interested to fix.

@bernardoaraujor
Copy link

@bernardoaraujor bernardoaraujor commented Nov 8, 2019

@vitaliy-kuzmich which package did you need to install?

@bernardoaraujor
Copy link

@bernardoaraujor bernardoaraujor commented Nov 8, 2019

I'm actually working on an OpenEmbedded based system. But your solution pointed me in the right direction, so thanks @vitaliy-kuzmich

For anyone that might be interested, I solved this by adding RDEPENDS_${PN} += "ca-certificates" to my BitBake recipe.

@golang golang locked and limited conversation to collaborators Nov 7, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
You can’t perform that action at this time.