Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
GitHub is where the world builds software
Millions of developers and companies build, ship, and maintain their software on GitHub — the largest and most advanced development platform in the world.
crypto/x509: confusing error for missing hash function #5058
Someone tried to validate a cert using SHA-512 without crypto/sha512 linked in. The error was "x509: certificate signed by unknown authority." ---------- Forwarded message ---------- From: Mike Lewis <email@example.com> Date: Wed, Mar 13, 2013 at 2:44 PM Subject: [go-nuts] Non-Obvious Failure with x509 and custom root CAs To: firstname.lastname@example.org Hi, Long story short: I was trying do http Get against a url with a custom root CA (that was on my keychain). Received "x509: certificate signed by unknown authority." Ended up going x509 code and ended up landing in x509.go where hashType.Available() was returning false. Our CA was using SHA512. The workaround for me was to 'import _ "crypto/sha512"' in my code. However, this was anything but intuitive. I basically had to add a bunch of print statements throughout go's source code to figure out where it was failing. Is this documented anywhere? Or is this a bug? Basically the http library will fail on any root certs that use algos that aren't imported by a transitive dependency and will give a very obscure error. Thanks, Mike
I was just bitten by this - although I wasn't using the net/http package. It seems that the crypto/tls package already imports sha1. When using certs generated with sha256 I got this error. It wasn't until I found this issue that I figured out what the problem was. Here is sample code: http://play.golang.org/p/RqN-3GYSW2 Note how you get "x509: certificate signed by unknown authority." If you simply add _ "crypto/sha256" to the import it works. Now this will probably not be fixed. How would you fix this? Something that would have saved me hours of time is if this was mentioned in the crypto/tls documentation (perhaps even crypto/x509) - at the top. Please add a note to the documentation. Thanks!