This is unlikely to be fixed until you provide the cert. Let us know when you have it.

@marcelborrmann, can you attach the certificate?

/cc @agl

I suspect the certificate is invalid:

https://tools.ietf.org/html/rfc5280#section-4.1.2.5:

"UTCTime values MUST be expressed in Greenwich Mean Time (Zulu) and MUST include seconds (i.e., times are YYMMDDHHMMSSZ)"

Thanks, @agl. Closing for now.

Well sorry being late here - didn't manage it to answer earlier - the cert is a default as in no special settings - openssl created one - so I would expect to have valid timestamps. I've seen the timestamp discussion already but wondered if there are some settings to care of within openssl cnf files and commands to avoid this issue in golang?

as the cert in quest das work properly with other applications and code based on different languages than golang.

as the cert is an internal one - and might contain sensitive data - are there options to send it out of band e.g. not as a github issue comment?

So the timestamp of the certificate in quest - shown by openssl -text looks like this:

Validity
Not Before: Aug 14 10:28:47 2015 GMT
Not After : Aug 13 10:28:47 2017 GMT

asn1parse says:
145:d=2 hl=2 l= 30 cons: SEQUENCE
147:d=3 hl=2 l= 13 prim: UTCTIME :150814102847Z
162:d=3 hl=2 l= 13 prim: UTCTIME :170813102847Z

which looks valid to me according to the above stated definition

should I create a new issue then? as the timestamp might not be the issue for this behaviour?

@dalini, you can email it to bradfitz at golang org

done, looking forward to understand the issue of the certs in use or if there might be a change on golang instead.

In this case, the problem is with root-ca.cer. In there we find:

  174:d=2  hl=2 l=  30 cons:   SEQUENCE          
  176:d=3  hl=2 l=  13 prim:    UTCTIME           :150814074318Z
  191:d=3  hl=2 l=  13 prim:    GENERALIZEDTIME   :203008210000Z

However, the spec says:

GeneralizedTime values MUST be expressed in Greenwich Mean Time (Zulu) and MUST include seconds (i.e., times are YYYYMMDDHHMMSSZ)

And that GENERALIZEDTIME does not include seconds.

However, all is not lost. Firstly, the TLS server should not be sending the root certificate in the first place so step one is to fix that. Then, when verifying the chain, you can use an altered root certificate with the seconds included. (I'll email you a fixed version of your root because playing with ASN.1 can be a pain.) The self-signature on the altered certificate will be invalid, of course, but the self-signature in a root certificate is just a placeholder anyway.

Ahh too bad! I didn't check all the chain up. I would think that the server does not send the root-ca cert but the golang application might still use it from 'local' store so to say to validate the chain. But I'll check this too - what certs the server sends out - usually it should only be the cert itself as all systems have the root and the intermediary available locally.

Well, so there seems to be an issue with the openssl config and the way the root-ca cert is selfsigned - I'll check this. Thanks for the ASN.1 playaround ;-). Will check this soon!