New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
encoding/asn1: failed to parse certificate from server: asn1: syntax error: sequence truncated #12910
Comments
Could you provide us a Go snippet that reproduces the bug? Given the fact that Go maintainers are not necessarily familiar with the other codebases you have cross linked to, It is hard to go through the other issues and being able to reproduce the case. |
And I fear we/the developer needs to setup: Client:
Server
I can help with CA. To open the CA database the developer needs to download XCA and open/export the certificates from there. The given CA file contains 4 CAs and 2 server certificates. One is for You can find the files for the CA here. It's a data repository hosted with Github Pages. Unfortunately I was not able to add the files to this issue. The most relevant file is the |
Added link to the CA. |
Setup apache (https://www.digitalocean.com/community/tutorials/how-to-create-a-ssl-certificate-on-apache-for-ubuntu-14-04): Listen 443
<VirtualHost *:443>
ServerName server.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/server.example.com.crt
SSLCertificateKeyFile /etc/ssl/private/server.example.com.key
</VirtualHost> |
Ok. @rakyll I prepared a docker image you can use if you like. It contains "just" the webservers "nginx" and "apache" setup with ssl. Please see https://github.com/fedux-org/centos-webservers for detailed instructions about how to use it.
|
I put together "some kind" of a client via google and C&P. Unfortunately I cannot reproduce the issue with it. :-( @ayufan Do you do something different in package main
import (
"crypto/tls"
"crypto/x509"
"log"
"fmt"
"net/http"
"io/ioutil"
"os"
)
func main() {
var caFile = "/etc/ca-certificates/trust-source/anchors/CA_Example_Com.crt"
// Load CA cert
caCert, err := ioutil.ReadFile(caFile)
if err != nil {
log.Fatal(err)
}
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
// Setup HTTPS client
tlsConfig := &tls.Config{
RootCAs: caCertPool,
}
tlsConfig.BuildNameToCertificate()
transport := &http.Transport{TLSClientConfig: tlsConfig}
client := &http.Client{Transport: transport}
response, err := client.Get("https://localhost:8443/")
if err != nil {
fmt.Printf("%s", err)
os.Exit(1)
} else {
defer response.Body.Close()
contents, err := ioutil.ReadAll(response.Body)
if err != nil {
fmt.Printf("%s", err)
os.Exit(1)
}
fmt.Printf("%s\n", string(contents))
}
} |
Can you post the certificate somewhere we can look at it? If you can't post it, can you email it to me (rsc@golang.org)? Thanks. |
The failing one or the one from the example? The failing one is internal unfortunately, I will as my security manager what he thinks about that. |
@dg-ratiodata, any failing certificate will do. If the one from the example fails, that's fine too/ (I don't have time to go through whatever is required to fish it out of the Docker image.) Thanks. |
Ok. |
@dg-ratiodata any update on a copy of the failing certificate? |
No. I asked them, but didn't get an info. I am going to ping them again. |
Any news? FWIW, this is the sort of thing I'm looking for, except that this program succeeds: http://play.golang.org/p/aW9S8XQcNJ. The certs in that program are the samples that you linked to earlier. They are fine as far as I can tell. It should be the case that if you paste your real certificate into the program instead, the program should fail, with an error coming back from ParseCertificates. Note that 'BEGIN CERTIFICATE' data only contains a public key, not a private one. If you're worried about exposing the non-cryptographic details (view with Thanks. |
Great. Will have a look. Thanks a lot for your patience. |
I got this output after adding the certificates. I nailed it down to our internal root CA certificate. All other certs in the chain can be parsed. Besides that, running
Hope to get a repsonse from our security guys soon. |
CL https://golang.org/cl/17550 mentions this issue. |
@rsc Wow, that was quick. Thanks for fixing this issue. |
Issue
I use two projects which are built with go:
docker
andgitlab-ci-runner
.Both products try to connect to an HTTPS-enabled webservice and fail. In one case it's the docker daemon in the other case it's a NGINX in front of gitlab. In both cases I get similar errors:
Setup
Both webservices use a (different) certificate issued by an internal Sub-CA:
I tried the webservices to serve the full chain excluding the Root-CA.
Gitlab:
Accessing
gitlab
with Firefox, Chromium,curl
andopenssl s_client
works fine since I setupca-trust
correctly: The root CA certificate is stored at/etc/(pki|ca-certificates/trust-source/anchor
+sudo update-ca-trust
.docker
This only worked if I added a single CA to the server CRT. This would require to distribute the other Root-/Sub-CAs on quite a few machines where the docker client runs.
Expected behaviour
I expect both programs to support certificate chains including verification.
My role
From your perspective I'm a end-user of both products and NOT an developer/maintiner of those products.
Information about software products
docker
gitlab-ci-runner
I'm not sure, what
go
-version exactly was used to create the executable, but they use the docker image "golang:1.4" from the docker library.Related issues
I opened an issue for the HTTPS-problem at golang as well @ayufan @cpuguy83
The text was updated successfully, but these errors were encountered: