Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: certificates at /etc/ssl/certs/ ignored on FreeBSD, etc #16920

Closed
buro1983 opened this issue Aug 29, 2016 · 5 comments
Closed

crypto/x509: certificates at /etc/ssl/certs/ ignored on FreeBSD, etc #16920

buro1983 opened this issue Aug 29, 2016 · 5 comments
Labels
FrozenDueToAge help wanted NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. OS-FreeBSD
Milestone

Comments

@buro1983
Copy link

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?

go version devel +e6f9f39 Mon Aug 29 18:25:33 2016 +0000 linux/amd64
Checkout 1.7 from git master branch and compiled.

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/ndebnath/opensource"
GORACE=""
GOROOT="/home/ndebnath/golang/go"
GOTOOLDIR="/home/ndebnath/golang/go/pkg/tool/linux_amd64"
CC="gcc"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build614456670=/tmp/go-build -gno-record-gcc-switches"
CXX="g++"
CGO_ENABLED="1"

What did you do?

Install CAcert on FreeBSD system. I placed the certificate in /etc/ssl/certs, calculated the hash
and then created a symlink from /etc/ssl/certs/<ca_file_hash>.0 to cacert.pem.

Now the problem is fetch doesn't even look there. It only looks at
/usr/local/share/certs/ca-root-nss.crt. So if I remove cert.pem then getting below error,

Certificate verification failed for /C=xx/ST=xx/OU=Server/L=unknown/CN=localhost
91426:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:974:
fetch: https://ip:port/v1/agent/checks: Authentication error

And other https request is not going through because of "x509: certificate signed by unknown authority".

During investigation I have seen that go does not checks for /etc/ssl/certs/ location files if symbolic link for nss root exist (https://golang.org/src/crypto/x509/root_unix.go: Line 32). If I comment out this return statement then it worked for me.

What did you expect to see?

Both, systems default ca cert and ca files inside /etc/ssl/certs/ location should work together on FreeBSD.

What did you see instead?

ca file at /etc/ssl/certs/ location is not getting validated when system default ca exist.

@bradfitz bradfitz changed the title certificates at /etc/ssl/certs/ getting ignored on FreeBSD crypto/x509: certificates at /etc/ssl/certs/ ignored on FreeBSD Aug 30, 2016
@bradfitz bradfitz added this to the Go1.8Maybe milestone Aug 30, 2016
@davecheney
Copy link
Contributor

We already check three locations on *BSD systems. Those are believed to be the correct locations, but *BSD's love to change things around. Can you please provide some documentation to demonstrate that this location is stable.

@ikrabbe
Copy link
Contributor

ikrabbe commented Sep 27, 2016

The standard linux way to load certificates is through the /etc/ssl/certs/ca-certificates.crt file, that has a brain-dead update policy, taking several directories and auto-generated configuration files into account. I simply did not manage to add my own certificate on first-shot. Now it is working.

Generally spoken, the load mechanism for root certificates should be more transparent, maybe through

go test -v crypto/x509

.

Not only on FreeBSD but also on my gentoo installation. I can curl the https url and I can google-chrome the url with a nice green lock icon but I cannot

go get https://my.local.service/gitmap?go-get=1

for example. That's what I currently try, actually.

@bradfitz bradfitz changed the title crypto/x509: certificates at /etc/ssl/certs/ ignored on FreeBSD crypto/x509: certificates at /etc/ssl/certs/ ignored on FreeBSD, etc Sep 27, 2016
@quentinmit quentinmit added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Oct 10, 2016
@rsc
Copy link
Contributor

rsc commented Oct 20, 2016

The fact that this is a standard Linux place does not justify looking there on FreeBSD. Can you please point to something indicating that this is a standard FreeBSD location?

@geoffgarside
Copy link

geoffgarside commented Oct 21, 2016

@buro1983 is the issue that you want, or expect, /etc/ssl/certs/ directory loaded in addition to /usr/local/share/certs/ca-root-nss.crt from the security/ca_root_nss package?

The loadSystemRoots() will only load one location, once its found and loaded either a CAfile or a CApath it will return and won't scan any further files. This seems right to me, but might not be what you're specifically after.

From the "What did you expect to see?" section it seems like you'd want it to load the first found certFiles entry and then load any certificates found in the certDirectories list?

This kind of feeds in to the comments on https://golang.org/cl/20253 regarding continuing to load certDirectories after loading certFiles.

@rsc rsc modified the milestones: Go1.9, Go1.8Maybe Nov 2, 2016
@gopherbot
Copy link

CL https://golang.org/cl/36093 mentions this issue.

@golang golang locked and limited conversation to collaborators May 3, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FrozenDueToAge help wanted NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. OS-FreeBSD
Projects
None yet
Development

No branches or pull requests

8 participants