crypto/tls: go get failed on Mac with "x509: certificate signed by unknown authority" #24147
Labels
FrozenDueToAge
WaitingForInfo
Issue is not actionable because of missing required information, which needs to be provided.
Comments
|
@phye Have you modified your keychain certificate trust? k8s.io looks to use Let's Encrypt which should be trusted on your mac. |
bradfitz
added
the
WaitingForInfo
|
I don't think I've ever modified my keychain certificate trust. Anyway, since I'm not familiar with encrypt/decrypt, if you can provide me hint to check that, I can provide more info follow your instructions. On the other hand, I've tried |
|
Could you paste the full output of k8s.io is currently serving a Let's Encrypt certificate: https://letsencrypt.org/certificates/ That requires either DST Root CA X3 or ISRG Root X1 trusted on your mac. On my Mac |
bradfitz
changed the title
|
I'm sorry, I meant $ curl -v https://k8s.io:443 [18-03-01 10:26:55]
* Rebuilt URL to: https://k8s.io:443/
* Trying 23.236.58.218...
* TCP_NODELAY set
* Connected to k8s.io (23.236.58.218) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=k8s.io
* start date: Feb 16 19:26:58 2018 GMT
* expire date: May 17 19:26:58 2018 GMT
* subjectAltName: host "k8s.io" matched cert's "k8s.io"
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: k8s.io
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Server: nginx/1.10.3
< Date: Thu, 01 Mar 2018 02:29:02 GMT
< Content-Type: text/html
< Content-Length: 185
< Connection: keep-alive
< Location: https://kubernetes.io/
<
Here's $ go get -v -d k8s.io/kubernetes [18-03-01 10:31:27]
Fetching https://k8s.io/kubernetes?go-get=1
https fetch failed: Get https://k8s.io/kubernetes?go-get=1: x509: certificate signed by unknown authority
package k8s.io/kubernetes: unrecognized import path "k8s.io/kubernetes" (https fetch: Get https://k8s.io/kubernetes?go-get=1: x509: certificate signed by unknown authority)Strange enough, I only recalled that I've once imported some certificate for our customer, but never deleted any. I further checked DST Root CA and ISRG Root X1, and they're all there in my Keychain Access. Somehow go simply could not find them or ignore them? Regarding how go is installed, I simply install it via homebrew: |
|
That's odd. I was able to reproduce the error if I marked The cgo code which collects certs doesn't offer much for debug logging. Are you willing to add some and see what's outputted? I'm going to file a CL, which you could use, to add some debug logging for this going forward. |
|
Change https://golang.org/cl/97801 mentions this issue: |
|
Sure, let me follow the CL to provide more info. Thanks for your patient help! |
|
I was trying to apply your patch, but apparently the diff you provided does not match my I was using go 1.10, can you send a matching one? $ go version [18-03-01 12:18:07]
go version go1.10 darwin/amd64Also, do you know how to apply your diff directly via CLIs? I've never applied golang CL before, hence the silly question. |
|
@phye You can Download the patch and apply it like so. Afterwords, you'll need to I forgot to include some sample code you can use to print the system certs. package main
import (
"crypto/x509"
"fmt"
"time"
)
func main() {
start := time.Now()
certs, err := x509.SystemCertPool()
end := time.Now()
if err != nil {
panic(err)
}
fmt.Printf("found %d certs in %v\n", len(certs.Subjects()), end.Sub(start))
}Thanks for helping debug this! |
|
I'm sorry @adamdecaf, as I stated earlier, your diff does not match what I have locally. Here'e the apply output: phye:go/ $ base64 -D ~/Downloads/0ee3287.diff.base64 | git apply --verbose
Checking patch src/crypto/x509/root_cgo_darwin.go...
error: while searching for:
import "C"
import (
"errors"
"unsafe"
)
error: patch failed: src/crypto/x509/root_cgo_darwin.go:215
error: src/crypto/x509/root_cgo_darwin.go: patch does not apply
Checking patch src/crypto/x509/root_darwin.go...
error: while searching for:
"sync"
)
var debugExecDarwinRoots = strings.Contains(os.Getenv("GODEBUG"), "x509roots=1")
func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate, err error) {
return nil, nil
error: patch failed: src/crypto/x509/root_darwin.go:22
error: src/crypto/x509/root_darwin.go: patch does not applyCan you send me a new patch? |
|
@phye What git hash are you on? I'm basing the change off the Go1.10 tag. https://github.com/golang/go/blob/go1.10/src/crypto/x509/root_cgo_darwin.go Looking at your file again (#24147 (comment)) you might be on an older version. Around go1.5 This version looks very similar to the one you posted. https://github.com/golang/go/blob/go1.5/src/crypto/x509/root_cgo_darwin.go |
|
You're right @adamdecaf ! Having realized the silly mistake above, I tried to completely remove the 'brew install' 1.10 go version, the very old 1.5 go and tried to reinstall go 1.10 via the official OSX golang 1.10 packages. But unfortunately, I still cannot run So, here's the output after applying your patch: |
|
@adamdecaf I seems to find something odd, the And in the output above, you can find the this certificate is listed in |
|
@adamdecaf, somehow I found two Anyway, I can Thanks so much for your help! |
|
@phye Sure thing! Glad we didn't find a bug. The @bradfitz (or someone) could you close this out? https://golang.org/cl/97801 helped debug the problem here and would be nice to get merged. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Please answer these questions before submitting your issue. Thanks!
What did you do?
If possible, provide a recipe for reproducing the error.
A complete runnable program is good.
A link on play.golang.org is best.
$ go get -d k8s.io/kubernetes
package k8s.io/kubernetes: unrecognized import path "k8s.io/kubernetes" (https fetch: Get https://k8s.io/kubernetes?go-get=1: x509: certificate signed by unknown authority)
What did you expect to see?
Packages can be pulled down and installed directly
What did you see instead?
The x509 certificate error prevents everything
System details
The text was updated successfully, but these errors were encountered: