Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

transport credentials method does not work on windows #90

Closed
sebastianbuechler opened this issue Apr 2, 2022 · 5 comments
Closed

transport credentials method does not work on windows #90

sebastianbuechler opened this issue Apr 2, 2022 · 5 comments
Labels
bug Something isn't working go Pull requests that update Go code

Comments

@sebastianbuechler
Copy link

When setting up a new client there is the to the transportOption function which tries to get the transport credentials for secured connections from the transportCredentials function.

func transportOption(api string, insecure bool) (grpc.DialOption, error) {
	if insecure {
		return grpc.WithInsecure(), nil
	}
	certs, err := transportCredentials(api)
	if err != nil {
		return nil, err
	}
	return grpc.WithTransportCredentials(certs), nil
}

func transportCredentials(api string) (credentials.TransportCredentials, error) {
	ca, err := x509.SystemCertPool()
	if err != nil {
		return nil, err
	}
	if ca == nil {
		ca = x509.NewCertPool()
	}

	servernameWithoutPort := strings.Split(api, ":")[0]
	return credentials.NewClientTLSFromCert(ca, servernameWithoutPort), nil
}

However, this function calls x509.SystemCertPool() which always returns an error for windows systems:

func SystemCertPool() (*CertPool, error) {
	if runtime.GOOS == "windows" {
		// Issue 16736, 18609:
		return nil, errors.New("crypto/x509: system root pool is not available on Windows")
	}

	if sysRoots := systemRootsPool(); sysRoots != nil {
		return sysRoots.copy(), nil
	}

	return loadSystemRoots()
}

It seems that this is fixed in golang/go@3544082
Change comment: "This change re-enables SystemCertPool on Windows, but explicitly does not return anything from CertPool.Subjects (which matches the behavior of macOS)."

According to this source, it should be available in Go 1.18: deviceinsight/kafkactl#108 (comment)

Would this help?
@fforootd
Copy link
Member

fforootd commented Apr 4, 2022

Hi - interesting find 😁

Does this block your work or are you fine using Go 1.18 (if this really solves this 🤷 )

@sebastianbuechler
Copy link
Author

We switched last week from the REST implementation to gRPC and it works in the cluster, but not on all dev machines because of some windows instances. So it does block some of us developing with Zitadel. Not sure if our codebase is already supporting 1.18, but I guess the change would anyway be first on this repo, right?

@fforootd
Copy link
Member

fforootd commented Apr 4, 2022

This code should already support 1.18 so only your code would need updating 😁

@fforootd fforootd added bug Something isn't working go Pull requests that update Go code labels Apr 4, 2022
@sebastianbuechler
Copy link
Author

True. After upgrading a second time to 1.18 even our code works 😁. And the issue is gone! Thanks for the clarification Florian :)

@fforootd
Copy link
Member

fforootd commented Apr 4, 2022

No problem, happy to help!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working go Pull requests that update Go code
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fforootd @sebastianbuechler