Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/x509: certificate signed by unknown authority, macOS #37017

Closed
fcjr opened this issue Feb 4, 2020 · 2 comments
Closed

crypto/x509: certificate signed by unknown authority, macOS #37017

fcjr opened this issue Feb 4, 2020 · 2 comments
Labels
FrozenDueToAge

Comments

@fcjr
Copy link

fcjr commented Feb 4, 2020
edited
Loading

What version of Go are you using (go version)?

$ go version
go version go1.13.7 darwin/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN="/Users/fcjr/go/bin"
GOCACHE="/Users/fcjr/Library/Caches/go-build"
GOENV="/Users/fcjr/Library/Application Support/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GONOPROXY=""
GONOSUMDB=""
GOOS="darwin"
GOPATH="/Users/fcjr/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/Cellar/go/1.13.7/libexec"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/Cellar/go/1.13.7/libexec/pkg/tool/darwin_amd64"
GCCGO="gccgo"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/Users/fcjr/Desktop/scratch/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/ky/y_d9mzjs4vn5b9py571zs8dm0000gn/T/go-build689674788=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

Attempting to GET a website signed by USERtrust RSA Certification Authority returns x509: certificate signed by unknown authority even though the root certificate is in system roots with default settings of "Use System Defaults". At first I thought this might be due to #27175, however this issue occurs regardless of cgo being enabled or not. Note: the GET request succeeds on windows using the default system pool. @FiloSottile any thoughts on why this might be happening, could this be caused by the incomplete certificate chain on the given website? If so shouldn't the same issue occur on windows?

Here is a minimal example:

package main

import (
	"fmt"
	"log"
	"net/http"
)

func main() {
	res, err := http.Get("https://www.tian-restaurant.com/")
	if err != nil {
		log.Fatal(err)
	}
	fmt.Println(res.Status)
}

Certificate Chain:
Screen Shot 2020-02-04 at 10 59 56 AM

Trust Settings:
Screen Shot 2020-02-04 at 11 00 23 AM

What did you expect to see?

200 OK

What did you see instead?

Get https://www.tian-restaurant.com/: x509: certificate signed by unknown authority
@fcjr
Copy link
Author

fcjr commented Feb 4, 2020

After futher investigation it seems like it is likely a chain issue, closing as #31773 already proposes adding Authority Information Access support to crypto/tls.

@fcjr fcjr closed this as completed Feb 4, 2020
@FiloSottile
Copy link
Contributor

FiloSottile commented Feb 4, 2020 via email

@golang golang locked and limited conversation to collaborators Apr 13, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@FiloSottile @fcjr @gopherbot