Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/tls: include more details when issuing "certificate signed by unknown authority" error #4619

davecheney opened this issue Jan 5, 2013 · 9 comments


Copy link

What steps will reproduce the problem?

# go get -v
package Get x509: certificate signed
by unknown authority

What is the expected output? What do you see instead?

Package installation succeeds

Please use labels and text to provide additional information.

I believe this is a failure of the crypto/tls package to locate the ca-certs.txt file on
this machine. Doing the checkout manually produces

# hg clone      
warning: certificate with fingerprint
ca:5e:a3:f8:40:90:6b:ea:25:19:6f:a8:a1:82:bb:6c:6b:2d:96:85 not verified (check
hostfingerprints or web.cacerts config setting)
requesting all changes

# uname -a
FreeBSD raspberry-pi.local 10.0-CURRENT FreeBSD 10.0-CURRENT #0 r244906M: Sat Jan  5
01:14:23 JST 2013    
aoyama@fbs.local:/usr/obj-rpi-clang/arm.armv6/usr/src/sys/RPI-B-test11  arm
Copy link

minux commented Jan 5, 2013

Comment 1:

you need to install the root-certificates (package security/ca_root_nss in ports)
or just copy the one from  another machine.
I'm curious as why FreeBSD doesn't include a copy of them in the base system.
It seems all *BSD do the same (at least NetBSD base doesn't bundle the certificates)

Copy link

minux commented Jan 5, 2013

Comment 2:

I wonder if we should change the error message to say:
x509: certificate signed by unknown authority (system root certificates not found)

Copy link
Contributor Author

Comment 3:

I think that we should. crypto/tls is searching the system ca store on
our behalf, so I think it is acceptable to disclose this in the error
+ cc: agl

Copy link

Comment 4 by leterip:

this issue can also be triggered on OS X if the package was built with cgo disabled.

Copy link

Comment 5 by thpickert:

I have the same issue in OS X 10.7.5. 'hg clone' works, but 'go get' fails. In IRC,
davecheney suggested that's because Mercurial treats the problem as a warning, whereas
the go tools treat it as an error.
I haven't gotten any workaround to do the trick for me, so I'll have to go about it
manually for now.

Copy link

rsc commented Jan 30, 2013

Comment 6:

Labels changed: added priority-later, removed priority-triage.

Copy link

minux commented Jan 30, 2013

Comment 7:

really add agl@ to cc this time.

Owner changed to @agl.

Copy link

minux commented Jan 30, 2013

Comment 8:

ouch, sorry.

Owner changed to ---.

Copy link

agl commented Jan 30, 2013

Comment 9:

crypto/x509 now says "x509: failed to load system roots and no roots provided".
Fixed, I think?

Status changed to Fixed.

@rsc rsc added this to the Go1.1 milestone Apr 14, 2015
@rsc rsc removed the go1.1 label Apr 14, 2015
@golang golang locked and limited conversation to collaborators Jun 24, 2016
This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
None yet

No branches or pull requests

5 participants