Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: failed to load system roots when there are no system roots #6391

Closed
gopherbot opened this issue Sep 15, 2013 · 11 comments

Comments

Projects
None yet
4 participants
@gopherbot
Copy link

commented Sep 15, 2013

by m.kevac@corp.badoo.com:

What steps will reproduce the problem?

Build latest go compiler from tip on Linux. Try to go get some code.

marko@cpp1.d3:~ $ go version
go version devel +3e162252c755 Sun Sep 15 10:45:36 2013 +1000 linux/amd64

marko@cpp1.d3:~ $ go get code.google.com/p/goprotobuf/{proto,protoc-gen-go}
package code.google.com/p/goprotobuf/proto: Get
https://code.google.com/p/goprotobuf/source/checkout?repo=: x509: failed to load system
roots and no roots provided
package code.google.com/p/goprotobuf/protoc-gen-go: Get
https://code.google.com/p/goprotobuf/source/checkout?repo=: x509: failed to load system
roots and no roots provided

Default build. Without any GO environment variables.
@bradfitz

This comment has been minimized.

Copy link
Member

commented Sep 15, 2013

Comment 1:

Which Linux distro?  Perhaps its roots are in a weird place.
@gopherbot

This comment has been minimized.

Copy link
Author

commented Sep 15, 2013

Comment 2 by m.kevac@corp.badoo.com:

marko@cpp1.d3:~ $ cat /etc/issue
Welcome to SUSE Linux Enterprise Server 11 SP1  (x86_64) - Kernel \r (\l).
marko@cpp1.d3:~ $ uname -a
Linux cpp1 2.6.32.59-32.32-default #1 SMP 2012-05-29 21:43:39 +0200 x86_64 x86_64 x86_64
GNU/Linux
@bradfitz

This comment has been minimized.

Copy link
Member

commented Sep 15, 2013

Comment 3:

Are your certs not at /etc/ssl/ca-bundle.pem?
Where are they?
@gopherbot

This comment has been minimized.

Copy link
Author

commented Sep 15, 2013

Comment 4 by m.kevac@corp.badoo.com:

There aren't file with that name anywhere. But there are a lot of *.pem files here:
marko@cpp1.d3:~ $ ll /etc/ssl/certs/ | wc -l
276
@bradfitz

This comment has been minimized.

Copy link
Member

commented Sep 15, 2013

Comment 5:

Does /etc/ssl/certs/ca-certificates.crt exist in that directory?
@gopherbot

This comment has been minimized.

Copy link
Author

commented Sep 15, 2013

Comment 6 by m.kevac@corp.badoo.com:

Nope.
But:
marko@cpp1.d3:/etc/ssl/certs $ cat README.RootCerts
The OpenSSL project does not (any longer) include root CA certificates.
Please check out the FAQ:
  * How can I set up a bundle of commercial root CA certificates?
@gopherbot

This comment has been minimized.

Copy link
Author

commented Sep 15, 2013

Comment 7 by m.kevac@corp.badoo.com:

Which led me to http://www.openssl.org/support/faq.html#USER16
So seems there is a way to create such a bundle.
But isn't it supposed to just work?
@rsc

This comment has been minimized.

Copy link
Contributor

commented Sep 15, 2013

Comment 8:

The question of which root CAs to trust is not one that should be decided
by the Go distribution. It instead relies on the operating system to
provide access to a set of root CAs. On OS X and Windows there are standard
system library calls to validate certificates. On the various Unixes there
is by convention a set of root certificates at one of a list of well-known
places. I agree with OpenSSL that they shouldn't be deciding that policy
either, but I would have expected SUSE to ship with a basic set, like the
other Linux distributions.
@rsc

This comment has been minimized.

Copy link
Contributor

commented Oct 18, 2013

Comment 9:

Go is not going to start distributing its own set of roots. That's a system-level
decision.

Status changed to WorkingAsIntended.

@gopherbot

This comment has been minimized.

Copy link
Author

commented Sep 19, 2014

Comment 10 by ilyxa@nest.org.ru:

Please add one string  ./src/crypto/x509/root_unix.go:18
         "/etc/certs/ca-certificates.crt",         // Solaris 11.2                                                                                       
And Solaris 11.2 build process goes fine.
@orian

This comment has been minimized.

Copy link

commented Feb 11, 2016

On Ubuntu (e.g. in Docker):
apt-get install ca-certificates

@golang golang locked and limited conversation to collaborators Feb 28, 2017

This issue was closed.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.