adamdecaf
commented
6 years ago Could you run and paste the output (I expect the command to fail and print) from the command here? https://github.com/golang/go/issues/24652#issuecomment-411069915
Closed adamrothman closed 6 years ago
adamdecaf
commented
6 years ago Could you run and paste the output (I expect the command to fail and print) from the command here? https://github.com/golang/go/issues/24652#issuecomment-411069915
adamrothman
commented
6 years ago Certainly. Note that Secops Internal Root CA is the certificate in question here.
crypto/x509: kSecTrustSettingsResultInvalid = 0
crypto/x509: kSecTrustSettingsResultTrustRoot = 1
crypto/x509: kSecTrustSettingsResultTrustAsRoot = 2
crypto/x509: kSecTrustSettingsResultDeny = 3
crypto/x509: kSecTrustSettingsResultUnspecified = 4
crypto/x509: Secops Internal Root CA returned 1
crypto/x509: verify-cert rejected CN=com.apple.systemdefault,O=System Identity: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=com.apple.kerberos.kdc,O=System Identity: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=638948197133458968,O=Meraki Inc.,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert approved CN=radius.meraki.com,OU=Domain Control Validated+OU=EssentialSSL
crypto/x509: verify-cert rejected CN=SCEP WiFi Certificate for 638948197133458968,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=SCEP WiFi Certificate for 638948197133458968,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=SCEP WiFi Certificate for 638948197133458968,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=SCEP WiFi Certificate for 638948197133458968,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=SCEP WiFi Certificate for 638948197133458968,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=SCEP WiFi Certificate for 638948197133458968,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=SCEP WiFi Certificate for 638948197133458968,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=SCEP WiFi Certificate for 638948197133458968,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=SCEP WiFi Certificate for 638948197133458968,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert approved CN=Secops Internal Root CA
crypto/x509: verify-cert rejected CN=SCEP WiFi Certificate for 638948197133458968,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: ran security verify-cert 15 times
cgo sys roots: 110.760832ms
non-cgo sys roots: 175.697789ms
certificate only present in non-cgo pool: CN=radius.meraki.com,OU=Domain Control Validated+OU=EssentialSSL (verify error: x509: certificate signed by unknown authority)
signed certificate only present in non-cgo pool (acceptable): CN=Developer ID Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US
SecTrustSettingsCopyCertificates: No Trust Settings were found.
Number of trusted certs = 1
Cert 0: Secops Internal Root CA
Number of trust settings : 0
!!! The test failed!
dmitshur
commented
6 years ago /cc @FiloSottile
mfriedenhagen
commented
6 years ago Hi, maybe related to both this issue and #27958. I try to access an internal server which uses a certificate signed with an intermediate cert. I completely trust the internal root CA and browsers and curl are fine with this. The server in question ships the intermediate together with it‘s own cert. Now http.Client chokes with above error and I have to add the intermediate to the System.keychain and additionally set trust for ssl connections on the intermediate certificate.
FiloSottile
commented
6 years ago Duplicate of #24652, thanks for running the test binary. The outstanding patches will fix it.
Disclaimer: I'm new to Go, so please excuse my general lack of knowledge.
The issue I'm experiencing seems to be related to and/or the same as https://github.com/golang/go/issues/14514. It may be related to https://github.com/golang/go/issues/24652 and/or https://github.com/golang/go/issues/27958, but I'm not sure.
My company uses an internal root CA that is installed into the System keychain on my work Mac. All the browsers on my system trust this root correctly, and I have no trouble connecting to internal sites with certificates signed by this root.
I'm working on a Go program that needs to connect to an API that's served with a certificate signed by this internal root CA. I'm not doing anything fancy to configure my HTTP client:
When I try to make a request to the API, I get the following error:
x509: certificate signed by unknown authority.All the issues I could find that seem to be similar to what I'm experiencing are closed, but the issue is clearly still present. I did find some links to the
go-rootcertspackage, which does solve the problem when I configure my client like this:Obviously, having to include this just so I can develop locally is not ideal.
I have tried opening the certificate in Keychain Access and toggling the trust settings as suggested in this comment, but that didn't change anything.
What version of Go are you using (
go version)?go version go1.11.1 darwin/amd64Does this issue reproduce with the latest release?
Yes.
What operating system and processor architecture are you using (
go env)?macOS 10.13.6
What did you do?
Sorry for the lack of runnable program, but I don't think it would be helpful as the issue is somewhat specific to my system/environment.
net/httpclient.What did you expect to see?
Successful request/response.
What did you see instead?
x509: certificate signed by unknown authority