Skip to content

crypto/x509: root_cgo_darwin omits intermediate CAs with an empty policy settings or an unspecified trust type setting #30672

New issue
New issue
Closed
Closed
crypto/x509: root_cgo_darwin omits intermediate CAs with an empty policy settings or an unspecified trust type setting#30672
Labels
FrozenDueToAgeNeedsFixThe path to resolution is known, but the work has not been done.OS-Darwin
Milestone
Go1.13
@penglei

Description

@penglei
penglei
opened on Mar 8, 2019

What version of Go are you using (go version)?

$ go version
go version go1.12 darwin/amd64

Does this issue reproduce with the latest release?

yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/penglei/Library/Caches/go-build"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOOS="darwin"
GOPATH="/Users/penglei/go"
GOPROXY=""
GORACE=""
GOROOT="/usr/local/Cellar/go/1.12/libexec"
GOTMPDIR=""
GOTOOLDIR="/usr/local/Cellar/go/1.12/libexec/pkg/tool/darwin_amd64"
GCCGO="gccgo"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/n1/b06cdpcn6y58vz_184h4rlbc0000gn/T/go-build500360568=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

  1. generate certs

    Use this script to generate a server certificate signed by an intermediate certificate

    https://gist.github.com/penglei/91530ced7174d4d96ecbe8a5f8420749

    this script will generate root.pem, root-key.pem, intermediate.pem, intermediate-key.pem, server.pem, server-key.pem.
    certs in following step can be found here.

  2. add ca cert to system by /usr/bin/security

    sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain   root.pem
sudo security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain  intermediate.pem

    NOTE: bug is produced when adding intermediate.pem by calling security add-trusted-cert with no any -p policy options.

  3. config a HTTPS server

    Copy server.pem and server-key.pem to nginx config directory

    add the following content to nginx.conf:

    server {
	listen       443 ssl;
	server_name  localhost;

	ssl_certificate server.pem;
	ssl_certificate_key server-key.pem;

	location / {
		root   html;
		index  index.html index.htm;
	}
}

  4. run the following go program

    func main() {
	_, err := http.DefaultClient.Get("https://127.0.0.1/")
	if err != nil {
		panic(err)
	} else {
		fmt.Println("OK")
	}
}

    please ensure CGO_ENABLED=1 (this is default)

What did you expect to see?

OK

What did you see instead?

panic: Get https://127.0.0.1/: x509: certificate signed by unknown authority

Metadata

Metadata

Assignees

No one assigned

    Labels

    FrozenDueToAgeNeedsFixThe path to resolution is known, but the work has not been done.OS-Darwin

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions