You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I call an Italian government web service to fetch company information.
IMPORTANT: I don't know when this started to fail (the service is rarely used in production)
it works without issues on Windows 11 x64 development laptop
There may be some differences in the certificates that are provided to clients based on network location due to CDNs and other regionalized endpoints. From a US based location, I do not receive a full Server + CA chain with my request, just the Server certificate and it functions as expected. I had @genesio-systemlogic provide the full cert chain he was receiving and looked at all certificates presented and the intermediate certificate is using a currently unsupported critical extension oid: 126.96.36.199 - Name Constraints.
Looks like there may be an issue already open for supporting this extension as critical, please reference: #15196
changed the title
HTTP POST to Italian government web service fails with "x509: unhandled critical extension" error on Linux host
crypto/x509, net/http: HTTP POST to Italian government web service fails with "x509: unhandled critical extension" error on Linux host
Sep 26, 2022
It's working on Windows and macOS because the chain is being verified by the platform verifier, while on Linux we use our own. We do support critical name constraints, but this certificate also has a DN constraint, regrettably, which we don't support (#15196).
They're a huge headache, but if they're showing up in the WebPKI we might have to bite the bullet and support them.