Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/x509: 'certificate signed by unknown authority' on mipsle #32878

Closed
vitaliy-kuzmich opened this issue Jul 1, 2019 · 10 comments
Closed

crypto/x509: 'certificate signed by unknown authority' on mipsle #32878

vitaliy-kuzmich opened this issue Jul 1, 2019 · 10 comments
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.
Milestone
Go1.14

Comments

@vitaliy-kuzmich
Copy link

vitaliy-kuzmich commented Jul 1, 2019
edited

Hello @FiloSottile, tested on mipsle, does not work. It says "509: certificate signed by unknown authority". Build command that I used :
env CGO_ENABLED=0 GOOS=linux GOARCH=mipsle gotip build -a -o test


$ go version go1.12.6 linux/amd64
$ gotip version
go version devel +bc593ea Mon Jul 1 14:45:49 2019 +0000 linux/amd64
go env
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/v/.cache/go-build"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/v/go"
GOPROXY=""
GORACE=""
GOROOT="/usr/lib/go"
GOTMPDIR=""
GOTOOLDIR="/usr/lib/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build944548850=/tmp/go-build -gno-record-gcc-switches"

You can use our ✨ new golang.org/dl/gotip tool ✨ to easily test the development branch:

go get golang.org/dl/gotip
gotip download
GODEBUG=x509roots=1 gotip test -v -run TestSystemRoots crypto/x509

You can also use gotip build or gotip get in place of go build/go get to test if the patches resolve any issues you were experiencing. Please report back! Thank you.

/cc @cvigo @dichque @wdec @adamrothman @calmh @dadrian @vdemario

Originally posted by @FiloSottile in #24652 (comment)
@bcmills
Copy link
Contributor

bcmills commented Jul 1, 2019

@vitaliy-kuzmich, note that the issue to which you are replying was specific to Darwin (a.k.a. macOS).

I'm guessing that 509: certificate signed by unknown authority will probably not be enough information to diagnose the issue. Are you able to share more detail about the certificate that failed the test?

@bcmills bcmills added NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided. labels Jul 1, 2019
@bcmills bcmills added this to the Go1.14 milestone Jul 1, 2019
@bcmills bcmills changed the title This issue should now be fixed in master, but more testing would be appreciated before we backport it, in particular by anyone who had the self-contained test fail. crypto/x509: 'certificate signed by unknown authority' on mipsle Jul 1, 2019
@bcmills
Copy link
Contributor

bcmills commented Jul 1, 2019

@vitaliy-kuzmich, @FiloSottile was asking for folks to run the test, but gotip build -a -o test will instead build the non-test sources for the package. Can you provide the complete list of commands that you ran?

@vitaliy-kuzmich
Copy link
Author

vitaliy-kuzmich commented Jul 1, 2019
edited

@bcmills Thank you for quick response, indeed it is not darwin, but I have exactly same on mipsle on my router. I am trying to run cross compiled binary on embedded device. Here it is source code that I used for test :

package main

import (
	"fmt"
	"io/ioutil"
	"log"
	"net/http"
	"net/http/cookiejar"
)

func main() {
	jar, _ := cookiejar.New(nil)

	client := http.Client{Jar: jar}
	res, err := client.Get("https://google.com")
	check(err)
	rs, err := ioutil.ReadAll(res.Body)
	fmt.Println(string(rs))
}
func check(err error) {
	if err != nil {
		log.Fatal(err)
	}
}

I am not sure, but /etc/ssl/certs empty on embedded device, should there be some certs ? Or built binary should create it ?
upd: Did copy certs from host to the embedded device, still have this issue, have no idea what goes wrong.

@bcmills
Copy link
Contributor

bcmills commented Jul 1, 2019

@vitaliy-kuzmich, you can use go test -c to compile a test binary without running it.

I don't know how you would need to configure the root certs on a router so that a Go binary can find them.

@vitaliy-kuzmich
Copy link
Author

Apologies, my fault, there is nothing wrong with go, works like a charm. I use openwrt system, for some reasons certificate package were missed. It so cool that same code works on different devices!

@vitaliy-kuzmich
Copy link
Author

@bcmills Just thinking maybe make message more clear ? Like "none certificates was found at default paths" or something, because it really confuses if say if it signed by unknown authority,but the file just does not exists.

@bcmills
Copy link
Contributor

bcmills commented Oct 9, 2019

@vitaliy-kuzmich, clearer error messages are always nice to have.

If you could post specific steps that we can run to reproduce the issue (preferably as a new issue on GitHub), I'd be happy to leave it open as help wanted for anyone interested to fix.

@bernardoaraujor
Copy link

@vitaliy-kuzmich which package did you need to install?

@vitaliy-kuzmich
Copy link
Author

@bernardoaraujor https://openwrt.org/packages/pkgdata/ca-bundle

@bernardoaraujor
Copy link

I'm actually working on an OpenEmbedded based system. But your solution pointed me in the right direction, so thanks @vitaliy-kuzmich

For anyone that might be interested, I solved this by adding RDEPENDS_${PN} += "ca-certificates" to my BitBake recipe.

@golang golang locked and limited conversation to collaborators Nov 7, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.
Projects
None yet
Milestone
Go1.14
Development

No branches or pull requests
4 participants
@bcmills @gopherbot @vitaliy-kuzmich @bernardoaraujor