New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto/x509: certificates at /etc/ssl/certs/ ignored on FreeBSD, etc #16920
Comments
We already check three locations on *BSD systems. Those are believed to be the correct locations, but *BSD's love to change things around. Can you please provide some documentation to demonstrate that this location is stable. |
The standard linux way to load certificates is through the Generally spoken, the load mechanism for root certificates should be more transparent, maybe through
.
|
The fact that this is a standard Linux place does not justify looking there on FreeBSD. Can you please point to something indicating that this is a standard FreeBSD location? |
@buro1983 is the issue that you want, or expect, The From the "What did you expect to see?" section it seems like you'd want it to load the first found This kind of feeds in to the comments on https://golang.org/cl/20253 regarding continuing to load |
CL https://golang.org/cl/36093 mentions this issue. |
Please answer these questions before submitting your issue. Thanks!
What version of Go are you using (
go version
)?go version devel +e6f9f39 Mon Aug 29 18:25:33 2016 +0000 linux/amd64
Checkout 1.7 from git master branch and compiled.
What operating system and processor architecture are you using (
go env
)?GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/ndebnath/opensource"
GORACE=""
GOROOT="/home/ndebnath/golang/go"
GOTOOLDIR="/home/ndebnath/golang/go/pkg/tool/linux_amd64"
CC="gcc"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build614456670=/tmp/go-build -gno-record-gcc-switches"
CXX="g++"
CGO_ENABLED="1"
What did you do?
Install CAcert on FreeBSD system. I placed the certificate in /etc/ssl/certs, calculated the hash
and then created a symlink from /etc/ssl/certs/<ca_file_hash>.0 to cacert.pem.
Now the problem is fetch doesn't even look there. It only looks at
/usr/local/share/certs/ca-root-nss.crt. So if I remove cert.pem then getting below error,
Certificate verification failed for /C=xx/ST=xx/OU=Server/L=unknown/CN=localhost
91426:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:974:
fetch: https://ip:port/v1/agent/checks: Authentication error
And other https request is not going through because of "x509: certificate signed by unknown authority".
During investigation I have seen that go does not checks for /etc/ssl/certs/ location files if symbolic link for nss root exist (https://golang.org/src/crypto/x509/root_unix.go: Line 32). If I comment out this return statement then it worked for me.
What did you expect to see?
Both, systems default ca cert and ca files inside /etc/ssl/certs/ location should work together on FreeBSD.
What did you see instead?
ca file at /etc/ssl/certs/ location is not getting validated when system default ca exist.
The text was updated successfully, but these errors were encountered: