Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/x509: error "x509: certificate signed by unknown authority" on valid SSL chain #16589

Closed
rasky opened this issue Aug 3, 2016 · 7 comments
Closed

crypto/x509: error "x509: certificate signed by unknown authority" on valid SSL chain #16589

rasky opened this issue Aug 3, 2016 · 7 comments
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Go1.9

Comments

@rasky
Copy link
Member

rasky commented Aug 3, 2016
edited

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?

go version go1.7rc4 darwin/amd64

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOOS="darwin"
GOPATH="/Users/rasky/Sources/go"
GORACE=""
GOROOT="/usr/local/Cellar/go/1.7rc4/libexec"
GOTOOLDIR="/usr/local/Cellar/go/1.7rc4/libexec/pkg/tool/darwin_amd64"
CC="clang"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/lw/jdbk7p_d4gj6qpydczpbw2080000gn/T/go-build080916688=/tmp/go-build -gno-record-gcc-switches -fno-common"
CXX="clang++"
CGO_ENABLED="1"

What did you do?

package main

import (
    "io"
    "net/http"
    "os"
)

func main() {
    resp, err := http.Get("https://blitznote.com/src/caddy.upload?go-get=1")
    if err != nil {
        panic(err)
    }

    io.Copy(os.Stdout, resp.Body)
}

What did you expect to see?

Some HTML output

What did you see instead?

panic: Get https://blitznote.com/src/caddy.upload?go-get=1: x509: certificate signed by unknown authority

goroutine 1 [running]:
panic(0x1fcd00, 0xc420400060)
    /usr/local/Cellar/go/1.7rc4/libexec/src/runtime/panic.go:500 +0x1a1
main.main()
    /private/tmp/test.go:12 +0xd0
exit status 2

Notice that visiting the same link with Safari produces no SSL error. The SSL certificate chain seems correct and the Comodo ECC CA is in OS X trust store.
@mdempsky
Copy link
Member

mdempsky commented Aug 3, 2016

/cc @agl

@jmassara
Copy link

jmassara commented Aug 3, 2016

I believe this is a dup of #16532.

@bradfitz bradfitz changed the title net/http: error "x509: certificate signed by unknown authority" on valid SSL chain crypto/x509: error "x509: certificate signed by unknown authority" on valid SSL chain Aug 3, 2016
@josharian
Copy link
Contributor

This isn't a dup of #16532, I think, because that issue is for the non-cgo code path, and go env indicates that cgo is enabled here.

@quentinmit quentinmit added this to the Go1.8 milestone Aug 4, 2016
@mark-kubacki
Copy link

@rasky, I have noticed you are using OS darwin. Do you get the same error with, say, this site?
https://scotthelme.co.uk/ecdsa-certificates/

I have not been able to reproduce this using go version go1.7rc4 linux/amd64:

$ docker pull golang:1.7rc4
$ docker run -ti --rm d7e6aaff64ae

go version
# go version go1.7rc4 linux/amd64

# [… paste the above script as 16589.go]
go run 16589.go
CGO_ENABLED="1" go run 16589.go
# both don't panic

@rasky
Copy link
Member Author

rasky commented Aug 5, 2016

@wmark yes, this bug is OSX-only, and it doesn't reproduce with the URL you linked.

@agl agl self-assigned this Aug 19, 2016
@xfreshx
Copy link

xfreshx commented Oct 5, 2016

@rasky unfortunately have the same on windows x86. I built my app on win64 with

  • GOARCH=386
  • CGO_ENABLED=1
    on win64 everything is fine. OS X version (with only CGO_ENABLED=1) is fine as well.

Any solution available yet?

@quentinmit quentinmit added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Oct 5, 2016
@rsc rsc modified the milestones: Go1.9, Go1.8 Nov 11, 2016
@takieddine-sbiai takieddine-sbiai mentioned this issue Dec 15, 2016
Closed
@agl
Copy link
Contributor

agl commented Feb 8, 2017

Best I can tell, this is caused by "COMODO ECC Certification Authority" not being included in some OS X versions.

With 10.10, it's not included. That site can be loaded by Safari because the intermediate has an AIA pointer to a cross-sign from the AddTrust ECC root, which /is/ included. But the site isn't serving that cross-sign for Go.

With 10.12, the root is included and the test loads.

@agl agl closed this as completed Feb 8, 2017
@therynamo therynamo mentioned this issue Apr 22, 2017
Closed
@liggitt liggitt mentioned this issue Sep 24, 2017
Closed
@nifflin nifflin mentioned this issue Nov 5, 2017
Closed
@golang golang locked and limited conversation to collaborators Feb 8, 2018
@rsc rsc unassigned agl Jun 23, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
Go1.9
Development

No branches or pull requests
10 participants
@agl @mdempsky @josharian @rsc @quentinmit @mark-kubacki @rasky @jmassara @gopherbot @xfreshx