proxy.golang.org: certificate may have been revoked

[ranjithchev]

What version of Go are you using (go version)?

$ go version
1.16.4

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output

$ go env
GO111MODULE="on"
GOARCH="amd64"
GOBIN=""
GOCACHE="/root/.cache/go-build"
GOENV="/root/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/go/pkg/mod"
GONOPROXY="*.ntrs.com"
GONOSUMDB="*.ntrs.com"
GOOS="linux"
GOPATH="/go"
GOPRIVATE="*.ntrs.com"
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.16.4"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/pqr/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build948798551=/tmp/go-build -gno-record-gcc-switches"

What did you do?

Build a docker image for a go application

RUN go mod download
Docker build failed with x509 unknown certificate issue while executing go mod download

What did you expect to see?

Should download module

What did you see instead?

x509. Certificate error

[ranjithchev]

What would be the right certificate to use to download modules from proxy.golang.org

[mknyszek]

Can you please provide more details? Namely, the platform you're running on, and the full text of the error you're seeing and the precise steps you took to reproduce it?

CC @katiehockman @heschi @hyangah

[heschi]

It looks like the certificate was reissued a few weeks ago, so it's possible the docker container in question is missing a root certificate that it didn't need before that reissue. But the certificate has certainly not been revoked.

[seankhliao]

This could also be a corporate firewall/mitm proxy like in #45569

[ranjithchev]

Apparently, I'm trying to build a docker image from my mac for my golang application and while running docker I get the error "x509 certificate signed by unknown authority" while it runs the part "RUN go mod download". It used to work a month back but the same docker file now fails with this error. Looks like something is out of sync with the ssl cert used for proxy.golang.org. Omitted some details.

Here is my docker file

Docker file

$ Docker file
FROM golang:1.16.4 AS build
ENV GO111MODULE=on 

CGO_ENABLED=1 

GOOS=linux 

GOARCH=amd64 

GOPRIVATE=..com 

GONOPROXY=..com 

GONOSUMDB=*..com
ENV HTTPS_PROXY="Our https proxy"

ENV HTTP_PROXY="Our proxy"
RUN apt-get update

RUN apt-get install -y git 

libxml2-dev 

openssh-client 

make
I added these lines just yesterday as per a stackoverflow post but even this did not help me.
ARG cert_location=/usr/local/share/ca-certificates
RUN openssl s_client -showcerts -connect github.com:443 </dev/null 2>/dev/null|openssl x509 -outform PEM > ${cert_location}/github.crt
RUN openssl s_client -showcerts -connect proxy.golang.org:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >  ${cert_location}/proxy.golang.crt
RUN update-ca-certificates
Until this part
RUN apt-get install -y 

ca-certificates 

&& update-ca-certificates 2>/dev/null || true
RUN git config --global url."ssh://git@git..com:/".insteadOf "https://git..com/"
WORKDIR /application

COPY . .
ARG SSH_PRIVATE_KEY
RUN mkdir /root/.ssh/ && 

chmod 0700 /root/.ssh && 

ssh-keyscan -p  -t rsa git..com  >> /root/.ssh/known_hosts
RUN echo "${SSH_PRIVATE_KEY}" > /root/.ssh/id_rsa && 

chmod 600 /root/.ssh/id_rsa

RUN touch /root/.ssh/known_hosts
RUN go mod download
RUN make

[ranjithchev]

This could also be a corporate firewall/mitm proxy like in #45569

It looks like the certificate was reissued a few weeks ago, so it's possible the docker container in question is missing a root certificate that it didn't need before that reissue. But the certificate has certainly not been revoked.

Shouldn't the below take care of the cert? Why do I still get the cert unknown error.
RUN openssl s_client -showcerts -connect proxy.golang.org:443 </dev/null 2>/dev/null|openssl x509 -outform PEM > ${cert_location}/proxy.golang.crt

[seankhliao]

please include the full output of your docker build

[ranjithchev]

Here is my docker output.

Docket output
docker build -t pqr . --no-cache
[+] Building 34.7s (18/19)
 => [internal] load build definition from Dockerfile                                                                                                                                0.0s
 => => transferring dockerfile: 1.93kB                                                                                                                                              0.0s
 => [internal] load .dockerignore                                                                                                                                                   0.0s
 => => transferring context: 2B                                                                                                                                                     0.0s
 => [internal] load metadata for docker.io/library/golang:1.16.4                                                                                                                    0.5s
 => CACHED [ 1/15] FROM docker.io/library/golang:1.16.4@sha256:8a106c4b4005efb43c0ba4bb5763b84742c7e222bad5a8dff73cc9f7710c64ee                                                     0.0s
 => => resolve docker.io/library/golang:1.16.4@sha256:8a106c4b4005efb43c0ba4bb5763b84742c7e222bad5a8dff73cc9f7710c64ee                                                              0.0s
 => [internal] load build context                                                                                                                                                   0.0s
 => => transferring context: 6.44kB                                                                                                                                                 0.0s
 => [ 2/15] RUN apt-get update                                                                                                                                                      7.9s
 => [ 3/15] RUN apt-get install -y git     libxml2-dev     openssh-client     make                                                                                                 17.7s
 => [ 4/15] RUN openssl s_client -showcerts -connect github.com:443 /dev/null|openssl x509 -outform PEM > /usr/local/share/ca-certificates/github.crt                  0.7s
 => [ 5/15] RUN openssl s_client -showcerts -connect proxy.golang.org:443 /dev/null|openssl x509 -outform PEM >  /usr/local/share/ca-certificates/proxy.golang.crt     0.7s
 => [ 6/15] RUN update-ca-certificates                                                                                                                                              1.2s
 => [ 7/15] RUN apt-get install -y         ca-certificates         && update-ca-certificates 2>/dev/null || true                                                                    2.0s
 => [ 8/15] RUN git config --global url."ssh://git@git..com:7999/".insteadOf "https://git..com/"                                                                            0.4s
 => [ 9/15] WORKDIR /pqr                                                                                                                                                            0.0s
 => [10/15] COPY . .                                                                                                                                                                0.9s
 => [11/15] RUN mkdir /root/.ssh/ &&     chmod 0700 /root/.ssh &&     ssh-keyscan -p 7999 -t rsa git..com  >> /root/.ssh/known_hosts                                            1.0s
 => [12/15] RUN echo "${SSH_PRIVATE_KEY}" > /root/.ssh/id_rsa &&     chmod 600 /root/.ssh/id_rsa                                                                                    0.5s
 => [13/15] RUN touch /root/.ssh/known_hosts                                                                                                                                        0.3s
 => ERROR [14/15] RUN go mod download                                                                                                                                               0.7s
------
 > [14/15] RUN go mod download:
#18 0.694 go: github.com/brianvoe/gofakeit/v6@v6.4.1: Get "https://proxy.golang.org/github.com/brianvoe/gofakeit/v6/@v/v6.4.1.mod": x509: certificate signed by unknown authority
------
executor failed running [/bin/sh -c go mod download]: exit code: 1

[ranjithchev]

Could it be a problem with the certificate used by proxy.golang.org? When I try to set my GOPROXY=direct everything works like a charm but I'm trying to avoid the 'direct' usage. As I mentioned previously, just a month ago it was all working without any issues. I know recently something changed with the certificates and everything stopped working.

[ranjithchev]

Tried running this command. Could that be the issue?
openssl s_client -connect proxy.golang.org:443 -servername proxy.golang.org

output CONNECTED(00000006) depth=2 C = US, ST = California, L = San Francisco, O = Cisco, CN = Cisco Umbrella Primary SubCA verify error:num=20:unable to get local issuer certificate verify return:1 depth=1 O = Cisco, CN = Cisco Umbrella Secondary SubCA nyc-SG verify return:1 depth=0 C = US, ST = California, L = San Francisco, O = "Cisco Systems, Inc.", CN = proxy.golang.org verify return:1 --- Certificate chain 0 s:C = US, ST = California, L = San Francisco, O = "Cisco Systems, Inc.", CN = proxy.golang.org i:O = Cisco, CN = Cisco Umbrella Secondary SubCA nyc-SG 1 s:O = Cisco, CN = Cisco Umbrella Secondary SubCA nyc-SG i:C = US, ST = California, L = San Francisco, O = Cisco, CN = Cisco Umbrella Primary SubCA 2 s:C = US, ST = California, L = San Francisco, O = Cisco, CN = Cisco Umbrella Primary SubCA i:O = Cisco, CN = Cisco Umbrella Root CA --- Server certificate -----BEGIN CERTIFICATE----- MIIDUDCCAjigAwIBAgIEfEcBnjANBgkqhkiG9w0BAQsFADBAMQ4wDAYDVQQKDAVD aXNjbzEuMCwGA1UEAwwlQ2lzY28gVW1icmVsbGEgU2Vjb25kYXJ5IFN1YkNBIG55 Yy1TRzAeFw0yMTA1MjYxMzA2MTZaFw0yMTA1MzExMzA2MTZaMHMxCzAJBgNVBAYT AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2Nv MRwwGgYDVQQKDBNDaXNjbyBTeXN0ZW1zLCBJbmMuMRkwFwYDVQQDDBBwcm94eS5n b2xhbmcub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw5o2C7Wj m9LQwfea4wxJATOiEKMjlHsbcDkoVigGCFDDcjR0Zf1YD2upwVryAy60pphSyTje alFETKVSkN4DYEXA3v4qCDbgo6TWAvu6byZGmsJ1E1H11vRiRsIEUcqwgviNXf+Y 5LulYvwNBKq05t8HxZhp0zcMYZ/wt+N4jRNAgxboAAmfC/QlE0mhjnHmxXI2aBtH MnJEhvrhYuP7xYh+3M65dvU0JcUCHpq2qK6XNR3yfTPc13YTvgEaXGdCSvEiFWGe Ly/A7+KZuV9FxNrS2t6jDYx9sU/iKL86E4jKRWVsAWcPqJcm+IWuRQL/ITeko5fc NJnA2c3hLAKvvQIDAQABox8wHTAbBgNVHREEFDASghBwcm94eS5nb2xhbmcub3Jn MA0GCSqGSIb3DQEBCwUAA4IBAQC4e9/APNA+e19YRcTlVHnLxjUmtJUx5p5TMIh4 90ukHj6DiPRqngQbA9NshXCtKJ8McFo2K0zLEdYkjcn5UkutRu+jHQsMs0qUwI/g MH/sXtLILHgKXQIXyuDNKcgDPTbnp8UFGJ5zM2gNlDqVMOoGUOF39V8K+YOBl55J NBbCg/KlcP5g7mPazKjxC2platV0Ojko68WpwBW57QmHO8cRNomPJlEB7zLMFLAQ IgTeRIeQYPH/oEaR3VQNQaT3IweCWLBlPyYhjDEeR95G7AU4HS7zsmu/spruUHT4 /GbTNAhpOKLKhVxpLmUQ9ZcWm954GX6Z16256o53gsz4xiP/ -----END CERTIFICATE----- subject=C = US, ST = California, L = San Francisco, O = "Cisco Systems, Inc.", CN = proxy.golang.org

issuer=O = Cisco, CN = Cisco Umbrella Secondary SubCA nyc-SG

---

No client certificate CA names sent

SSL handshake has read 3483 bytes and written 636 bytes
Verification error: unable to get local issuer certificate

New, TLSv1.2, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384
Session-ID: 4CD5F7FBC24CB980D0ABC1446864E2F1FDA0BBDF5C4F9F36A21BB7AB7B4449B1
Session-ID-ctx:
Master-Key: 045FF5BB3EC43A4138DD72B05DD049920A228ED4686D60BC8C9A817ADDADDE293221FF4757B1259D2CF27963557FB82B
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - a2 7c 90 1d 43 16 86 48-88 61 dc 2f 33 03 10 68 .|..C..H.a./3..h
0010 - 1f 25 ef a1 d8 07 16 da-58 ae d2 3d 6c cd ed a0 .%......X..=l...
0020 - 9c c5 84 b4 e7 d2 da 57-e1 45 e7 97 6e 55 06 f2 .......W.E..nU..
0030 - c5 9d c8 d8 cc e7 52 00-1e 8e 6e 32 b6 53 70 43 ......R...n2.SpC
0040 - 53 3d 7a fb d1 dd 41 21-5d 86 b0 b1 a5 05 07 c9 S=z...A!].......
0050 - 40 bb 08 8b 45 6e e4 b7-e2 9a 5b cc f6 60 4c 59 @...En....[..`LY
0060 - ba 00 91 9c 32 18 04 4f-7f 66 08 74 a9 e1 44 1f ....2..O.f.t..D.
0070 - 01 fd 5e f0 e8 8b 18 46-fd dc 0c 32 83 14 34 aa ..^....F...2..4.
0080 - a6 ab 2d 33 d6 29 38 6f-3f ba 41 ba 6f 77 32 1c ..-3.)8o?.A.ow2.
0090 - d6 28 12 29 65 d4 49 e3-4e 19 67 9d ed a2 73 4b .(.)e.I.N.g...sK
00a0 - d5 57 26 0e ab 8a 7b 00-3d 58 81 6f dc af 4b 83 .W&...{.=X.o..K.

Start Time: 1622207154
Timeout   : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: no

---

closed

[davecheney]

It looks like your connection is being interceded. Compare the output with the real SSL certificate

https://www.ssllabs.com/ssltest/analyze.html?d=proxy.golang.org&s=2607%3af8b0%3a4005%3a809%3a0%3a0%3a0%3a2011&latest

[seankhliao]

https://docs.umbrella.com/deployment-umbrella/docs/rebrand-cisco-certificate-import-information

The untrusted certificate is because of your proxy settings

Closing as there's no problem with proxy.golang.org

[ranjithchev]

Thanks for confirming there is no issue with proxy.golang.org. But can someone tell me what course of action I need to take to solve my problem? If its the certificate then can you point me to the right CA root cert?

[ranjithchev]

It looks like your connection is being interceded. Compare the output with the real SSL certificate

https://www.ssllabs.com/ssltest/analyze.html?d=proxy.golang.org&s=2607%3af8b0%3a4005%3a809%3a0%3a0%3a0%3a2011&latest

Please note that one of the chains is not trusted.
Certificate #2: RSA 2048 bits (SHA256withRSA) No SNI

[ranjithchev]

Solved this. Below is what I had to use. I downloaded the cisco root umbrella CA and converted the file from .cer to crt using openssl.

RUN cp cisco.crt /usr/local/share/ca-certificates/cisco.crt

RUN update-ca-certificates