Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: certificate signed by unknown authority, macOS #37017

Closed
fcjr opened this issue Feb 4, 2020 · 2 comments
Closed

crypto/x509: certificate signed by unknown authority, macOS #37017

fcjr opened this issue Feb 4, 2020 · 2 comments

Comments

@fcjr
Copy link

@fcjr fcjr commented Feb 4, 2020

What version of Go are you using (go version)?

$ go version
go version go1.13.7 darwin/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN="/Users/fcjr/go/bin"
GOCACHE="/Users/fcjr/Library/Caches/go-build"
GOENV="/Users/fcjr/Library/Application Support/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GONOPROXY=""
GONOSUMDB=""
GOOS="darwin"
GOPATH="/Users/fcjr/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/Cellar/go/1.13.7/libexec"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/Cellar/go/1.13.7/libexec/pkg/tool/darwin_amd64"
GCCGO="gccgo"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/Users/fcjr/Desktop/scratch/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/ky/y_d9mzjs4vn5b9py571zs8dm0000gn/T/go-build689674788=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

Attempting to GET a website signed by USERtrust RSA Certification Authority returns x509: certificate signed by unknown authority even though the root certificate is in system roots with default settings of "Use System Defaults". At first I thought this might be due to #27175, however this issue occurs regardless of cgo being enabled or not. Note: the GET request succeeds on windows using the default system pool. @FiloSottile any thoughts on why this might be happening, could this be caused by the incomplete certificate chain on the given website? If so shouldn't the same issue occur on windows?

Here is a minimal example:

package main

import (
	"fmt"
	"log"
	"net/http"
)

func main() {
	res, err := http.Get("https://www.tian-restaurant.com/")
	if err != nil {
		log.Fatal(err)
	}
	fmt.Println(res.Status)
}

Certificate Chain:
Screen Shot 2020-02-04 at 10 59 56 AM

Trust Settings:
Screen Shot 2020-02-04 at 11 00 23 AM

What did you expect to see?

200 OK

What did you see instead?

Get https://www.tian-restaurant.com/: x509: certificate signed by unknown authority

@fcjr
Copy link
Author

@fcjr fcjr commented Feb 4, 2020

After futher investigation it seems like it is likely a chain issue, closing as #31773 already proposes adding Authority Information Access support to crypto/tls.

@fcjr fcjr closed this Feb 4, 2020
@FiloSottile
Copy link
Member

@FiloSottile FiloSottile commented Feb 4, 2020

@FiloSottile FiloSottile added OS-Darwin and removed OS-Darwin labels Apr 13, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.