Whey @bsnchan had the issue I got a chance to check their environment. It seems like the issue is scoped to darwin where keychain manages system root CA and intermediate CA differently. If there is no ca_cert specified, fly tends to let tls to populate the RootCA itself, which ends up picking up the CA sets under system root only (not 100% sure if it is using the same way that x509 does. If it is then it would be a bug that golang could not fully load system CAs under darwin).
x509.SystemCertPool() instead will pick up from both places refer to here
A related read here mentions for adding intermediate CA to system root CA in darwin is prohibited thus fly in this case needs to load that from ~/Library/Keychains/login.keychain or /Library/Keychains/System.keychain
Trying to fix https://github.com/concourse/concourse/issues/2133
Whey @bsnchan had the issue I got a chance to check their environment. It seems like the issue is scoped to darwin where
keychainmanages system root CA and intermediate CA differently. If there is no ca_cert specified, fly tends to let tls to populate the RootCA itself, which ends up picking up the CA sets under system root only (not 100% sure if it is using the same way that x509 does. If it is then it would be a bug that golang could not fully load system CAs under darwin).x509.SystemCertPool()instead will pick up from both places refer to hereA related read here mentions for adding intermediate CA to system root CA in darwin is prohibited thus fly in this case needs to load that from
~/Library/Keychains/login.keychainor/Library/Keychains/System.keychain