search

pia-foss / manual-connections

Scripts for manual connections to Private Internet Access
MIT License
646 stars 168 forks source link

x509: certificate signed by unknown authority #155

Closed qdm12 closed 2 years ago

qdm12 commented 2 years ago

Hello there,

Recently, the certificate distributed ca.rsa.4096.crt fails to validate in Go:

x509: certificate signed by unknown authority

Runnable Go code

It might be because of an update in system/Mozilla CAs (in my particular case, the breml/rootcerts upgrade from v0.2.2 to v0.2.3)

Related issue: https://github.com/qdm12/gluetun/issues/958

Any idea how to fix this? Thanks!

qdm12 commented 2 years ago

It looks like now the OS x509 certificates work to validate the server name, and there is no longer a need to use your custom x509 PEM encoded certificate, which also no longer works to validate the server name. Let me know if I missed out on something!

g00nix commented 2 years ago

That certificate is the root, and it's also self signed by design. Allowing VPN to be signed by 3rd parties adds an attack surface.