New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto/x509: "certificate signed by unknown authority" with seemingly valid certificate chain #28276
Comments
Hm, interesting. There's something more going on here...
Which reads from /etc/ssl/certs/ca-certificates.crt (and I ran update-ca-certificates just in case) But with openssl:
and this reads /etc/ssl/certs/e113c810.0 directly. |
... and the plot thickens. Chrome (68 and 69) likes it, Firefox does not. Looking at it in Firefox, it actually seems like they send 3 certificates: Cert 1: Signed by Certigna (which is in the system roots) It looks like Chrome is cool with this, Firefox, wget, and golang is not. I don't know what the "correct" thing here is. |
Yea.. This is definitely strange... I'm on Windows, so some of these are commands are linux, but Windows commands work too. Firefox rejects this site, but chrome loads it for me also.
None of the Windows cert stores (where Chrome looks) have this root.
|
Sounds interesting. On Censys, we see only 2 certs (without self-signed one); https://censys.io/certificates?q=www.aft.gouv.fr+and+tags%3A+trusted |
Sorry, forgot to replace the tag "trusted" with "%2A"; yup, they have three certs; https://censys.io/certificates?q=www.aft.gouv.fr+and+tags%3A+%252A |
Note that the issuer of this cert is Certigna, not the next cert on the list. And Certigna is in the list of roots. However upon looking a little more carefully, there's actually supposed to be an intermediate there -- the root is "Certigna" while this is "Certigna Services CA". And it's missing from the supplied chain, where I'd normally expect to see it. But then ... why does openssl work? Unclear. The supplied cert does have
However I don't see openssl try to connect to those URIs. And I don't have it locally (or in strace). But I'm definitely inclined to say "server misconfigured" at this point, but I'm still unclear on how openssl s_client works things out. |
Aha, with a tcpdump, looks like go is getting different certs than openssl. And sure enough, with
it fails, because it gets those bogus certs. Without the -servername, it's all good. Moral of the story ... SSL is complicated and difficult to debug. Sorry for the totally off-topic bug! |
Version: go version go1.11.1 linux/amd64
Trying to fetch any data from https://www.aft.gouv.fr/ results in an error, but chrome and openssl s_client are both happy. Checked that there's a Certigna CA root in my /etc/ssl/certs (which is the ultimate root presented by this site). One odd observation is that the serial number in chrome has an extra leading 00 byte compared to what "openssl x509 -text" prints for that certificate. I can see the execution do "openat" syscalls on all the /etc/ssl/certs files (the "correct" cert is e113c810.0 aka "Certigna" -- openssl only opens that one file).
The text was updated successfully, but these errors were encountered: