Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/tls: include more details when issuing "certificate signed by unknown authority" error #4619

Closed
davecheney opened this issue Jan 5, 2013 · 9 comments
Milestone

Comments

@davecheney
Copy link
Contributor

@davecheney davecheney commented Jan 5, 2013

What steps will reproduce the problem?

# go get -v code.google.com/p/go.codereview/cmd/hgpatch
package code.google.com/p/go.codereview/cmd/hgpatch: Get
https://code.google.com/p/go/source/checkout?repo=codereview: x509: certificate signed
by unknown authority

What is the expected output? What do you see instead?

Package installation succeeds

Please use labels and text to provide additional information.

I believe this is a failure of the crypto/tls package to locate the ca-certs.txt file on
this machine. Doing the checkout manually produces

# hg clone https://code.google.com/p/go.codereview code.google.com/p/go.codereview      
   
warning: code.google.com certificate with fingerprint
ca:5e:a3:f8:40:90:6b:ea:25:19:6f:a8:a1:82:bb:6c:6b:2d:96:85 not verified (check
hostfingerprints or web.cacerts config setting)
requesting all changes


# uname -a
FreeBSD raspberry-pi.local 10.0-CURRENT FreeBSD 10.0-CURRENT #0 r244906M: Sat Jan  5
01:14:23 JST 2013    
aoyama@fbs.local:/usr/obj-rpi-clang/arm.armv6/usr/src/sys/RPI-B-test11  arm
@minux

This comment has been minimized.

Copy link
Member

@minux minux commented Jan 5, 2013

Comment 1:

you need to install the root-certificates (package security/ca_root_nss in ports)
or just copy the one from  another machine.
I'm curious as why FreeBSD doesn't include a copy of them in the base system.
It seems all *BSD do the same (at least NetBSD base doesn't bundle the certificates)
@minux

This comment has been minimized.

Copy link
Member

@minux minux commented Jan 5, 2013

Comment 2:

I wonder if we should change the error message to say:
x509: certificate signed by unknown authority (system root certificates not found)
@davecheney

This comment has been minimized.

Copy link
Contributor Author

@davecheney davecheney commented Jan 5, 2013

Comment 3:

I think that we should. crypto/tls is searching the system ca store on
our behalf, so I think it is acceptable to disclose this in the error
message.
+ cc: agl
@gopherbot

This comment has been minimized.

Copy link

@gopherbot gopherbot commented Jan 5, 2013

Comment 4 by leterip:

this issue can also be triggered on OS X if the package was built with cgo disabled.
http://pastie.org/private/bwybpaa8y1mndczkqhvsa
@gopherbot

This comment has been minimized.

Copy link

@gopherbot gopherbot commented Jan 5, 2013

Comment 5 by thpickert:

I have the same issue in OS X 10.7.5. 'hg clone' works, but 'go get' fails. In IRC,
davecheney suggested that's because Mercurial treats the problem as a warning, whereas
the go tools treat it as an error.
I haven't gotten any workaround to do the trick for me, so I'll have to go about it
manually for now.
@rsc

This comment has been minimized.

Copy link
Contributor

@rsc rsc commented Jan 30, 2013

Comment 6:

Labels changed: added priority-later, removed priority-triage.

@minux

This comment has been minimized.

Copy link
Member

@minux minux commented Jan 30, 2013

Comment 7:

really add agl@ to cc this time.

Owner changed to @agl.

@minux

This comment has been minimized.

Copy link
Member

@minux minux commented Jan 30, 2013

Comment 8:

ouch, sorry.

Owner changed to ---.

@agl

This comment has been minimized.

Copy link
Contributor

@agl agl commented Jan 30, 2013

Comment 9:

crypto/x509 now says "x509: failed to load system roots and no roots provided".
Fixed, I think?

Status changed to Fixed.

@rsc rsc added this to the Go1.1 milestone Apr 14, 2015
@rsc rsc removed the go1.1 label Apr 14, 2015
@golang golang locked and limited conversation to collaborators Jun 24, 2016
This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants
You can’t perform that action at this time.