crypto/x509: error "x509: certificate signed by unknown authority" on valid SSL chain

[rasky]

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?

go version go1.7rc4 darwin/amd64

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOOS="darwin"
GOPATH="/Users/rasky/Sources/go"
GORACE=""
GOROOT="/usr/local/Cellar/go/1.7rc4/libexec"
GOTOOLDIR="/usr/local/Cellar/go/1.7rc4/libexec/pkg/tool/darwin_amd64"
CC="clang"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/lw/jdbk7p_d4gj6qpydczpbw2080000gn/T/go-build080916688=/tmp/go-build -gno-record-gcc-switches -fno-common"
CXX="clang++"
CGO_ENABLED="1"

What did you do?

package main

import (
    "io"
    "net/http"
    "os"
)

func main() {
    resp, err := http.Get("https://blitznote.com/src/caddy.upload?go-get=1")
    if err != nil {
        panic(err)
    }

    io.Copy(os.Stdout, resp.Body)
}

What did you expect to see?

Some HTML output

What did you see instead?

panic: Get https://blitznote.com/src/caddy.upload?go-get=1: x509: certificate signed by unknown authority

goroutine 1 [running]:
panic(0x1fcd00, 0xc420400060)
    /usr/local/Cellar/go/1.7rc4/libexec/src/runtime/panic.go:500 +0x1a1
main.main()
    /private/tmp/test.go:12 +0xd0
exit status 2

Notice that visiting the same link with Safari produces no SSL error. The SSL certificate chain seems correct and the Comodo ECC CA is in OS X trust store.

[mdempsky]

/cc @agl

[jmassara]

I believe this is a dup of #16532.

[josharian]

This isn't a dup of #16532, I think, because that issue is for the non-cgo code path, and go env indicates that cgo is enabled here.

[mark-kubacki]

@rasky, I have noticed you are using OS darwin. Do you get the same error with, say, this site?
https://scotthelme.co.uk/ecdsa-certificates/

I have not been able to reproduce this using go version go1.7rc4 linux/amd64:

$ docker pull golang:1.7rc4
$ docker run -ti --rm d7e6aaff64ae

go version
# go version go1.7rc4 linux/amd64

# [… paste the above script as 16589.go]
go run 16589.go
CGO_ENABLED="1" go run 16589.go
# both don't panic

[rasky]

@wmark yes, this bug is OSX-only, and it doesn't reproduce with the URL you linked.

[xfreshx]

@rasky unfortunately have the same on windows x86. I built my app on win64 with

• GOARCH=386
• CGO_ENABLED=1
  on win64 everything is fine. OS X version (with only CGO_ENABLED=1) is fine as well.

Any solution available yet?

[agl]

Best I can tell, this is caused by "COMODO ECC Certification Authority" not being included in some OS X versions.

With 10.10, it's not included. That site can be loaded by Safari because the intermediate has an AIA pointer to a cross-sign from the AddTrust ECC root, which /is/ included. But the site isn't serving that cross-sign for Go.

With 10.12, the root is included and the test loads.