Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: confusing error for missing hash function #5058

rsc opened this issue Mar 15, 2013 · 3 comments

crypto/x509: confusing error for missing hash function #5058

rsc opened this issue Mar 15, 2013 · 3 comments


Copy link

@rsc rsc commented Mar 15, 2013

Someone tried to validate a cert using SHA-512 without crypto/sha512 linked in. The
error was "x509: certificate signed by unknown authority."

---------- Forwarded message ----------
From: Mike Lewis <>
Date: Wed, Mar 13, 2013 at 2:44 PM
Subject: [go-nuts] Non-Obvious Failure with x509 and custom root CAs


Long story short:
I was trying do http Get against a url with a custom root CA (that was on my keychain). 
Received "x509: certificate signed by unknown authority."

Ended up going x509 code and ended up landing in x509.go where hashType.Available() was
returning false.

Our CA was using SHA512.  The workaround for me was to 'import _
"crypto/sha512"' in my code.  However, this was anything but intuitive.  I
basically had to add a bunch of print statements throughout go's source code to figure
out where it was failing.

Is this documented anywhere?  Or is this a bug?  Basically the http library will fail on
any root certs that use algos that aren't imported by a transitive dependency and will
give a very obscure error.

Copy link

@lukescott lukescott commented May 2, 2013

Comment 1:

I was just bitten by this - although I wasn't using the net/http package. It seems that
the crypto/tls package already imports sha1. When using certs generated with sha256 I
got this error. It wasn't until I found this issue that I figured out what the problem
Here is sample code:
Note how you get "x509: certificate signed by unknown authority."
If you simply add _ "crypto/sha256" to the import it works.
Now this will probably not be fixed. How would you fix this?  Something that would have
saved me hours of time is if this was mentioned in the crypto/tls documentation (perhaps
even crypto/x509) - at the top.
Please add a note to the documentation. Thanks!
Copy link

@agl agl commented May 14, 2013

Comment 2:

Owner changed to @agl.

Copy link

@minux minux commented May 20, 2013

Comment 3:

fixed by revision 4e860d4a312b.

Status changed to Fixed.

@rsc rsc added fixed labels May 20, 2013
@golang golang locked and limited conversation to collaborators Jun 24, 2016
This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants
You can’t perform that action at this time.