The (*Certificate).Verify() method from crypto/x509 special-case
windows, darwin and ios GOOS to use a OS-specific verification process.
This process seems to consider root CAs as invalid for some unknown
reasons.
So either the syscall made by Verify() to retrieve the system-wide cert bundle return an empty set, it's out-of-date, or something else happen.
TestConfigServerExclusiveRootPools
: see https://github.com/docker/go-connections/blob/5cc4da5c08cd0df3e0a45da21ebd07e131109bd2/tlsconfig/config_test.go#L202-L205TestConfigClientExclusiveRootPools
: see https://github.com/docker/go-connections/blob/5cc4da5c08cd0df3e0a45da21ebd07e131109bd2/tlsconfig/config_test.go#L566-L569Both tests break with the following error:
certificate 1
beingsystemRootTrustedCert
: https://github.com/docker/go-connections/blob/5cc4da5c08cd0df3e0a45da21ebd07e131109bd2/tlsconfig/config_test.go#L20-L41As noted in https://github.com/docker/go-connections/commit/d5807de501e8618bbfeacec1c7a5955df229c0f7 commit message:
So either the syscall made by
Verify()
to retrieve the system-wide cert bundle return an empty set, it's out-of-date, or something else happen.