Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cmd/go: go mod download failure (?) due to x509 certificate signed by unknown authority #45569

Closed
alexec opened this issue Apr 14, 2021 · 6 comments
Closed

cmd/go: go mod download failure (?) due to x509 certificate signed by unknown authority #45569

alexec opened this issue Apr 14, 2021 · 6 comments
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.
Milestone
Backlog

Comments

@alexec
Copy link

alexec commented Apr 14, 2021

What version of Go are you using (go version)?

docker run -ti golang:1.16.2 go version
go version go1.16.2 linux/amd64

Does this issue reproduce with the latest release?

Yes?

What operating system and processor architecture are you using (go env)?

go env Output
docker run -ti golang:1.16.2 go env    
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/root/.cache/go-build"
GOENV="/root/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.16.2"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/dev/null"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build1381670037=/tmp/go-build -gno-record-gcc-switches"

What did you do?

What did you expect to see?

go mod download is succesful.

What did you see instead?

94eBF1eNgtNEsoNLAwN7kB7ystJzepXk7SVBp9IzwQpycYFb9cop3oV7Bvl0vWQ7%2BqXt4ZdMyjyTDQBE3C42lbPAWBPauECzYIZ5BwmNE17Jn9xrpg%3D%3D": x509: certificate signed by unknown authority
#18 10.63 /go/pkg/mod/github.com/!shopify/sarama@v1.28.0/compress.go:10:2: github.com/pierrec/lz4@v2.6.0+incompatible: Get "https://storage.googleapis.com/proxy-golang-org-prod/23c25614895b58b9-github.com:pierrec:lz4-v2.6.0+incompatible.zip?Expires=1618501091&GoogleAccessId=gcs-urlsigner-prod%40golang-modproxy.iam.gserviceaccount.com&Signature=rL11YO%2BGlHuO%2BrkvIt7XjYBClZPeFAsBpw3tVfTIvIAeQKVamjwja3ineYXSeOfaBYcvYV58ro3teq21asRJ%2FiKUtDO0EflFS258Rr8O1yS86ByeFWNXScXpu1z2Lzn6y8y5i22SBC934hQuXHKU3X0baSvWw2F8QRdBN%2BIMTjSgrN9bcjpRRYTUCsGVvz0sytOKyRoZPZZAJvMfBvJxk9PmrDa0Xq7LjHCnLtmvjRJyZqdNhVnDxMRAPd8uzfwlROW2RCE1hT1TRXWgMte833SQMtdpdqlbhP2VBVmPtBOtiDuubH%2BM2bps9NskQhVp%2FF1An7S8Ui3zFxXOKH%2FCOg%3D%3D": x509: certificate signed by unknown authority
@mknyszek mknyszek changed the title "https://storage.googleapis.com/proxy-golang-org-prod ... x509: certificate signed by unknown authority cmd/go: go mod download failure (?) due to x509 certificate signed by unknown authority Apr 14, 2021
@mknyszek mknyszek added NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided. labels Apr 14, 2021
@mknyszek mknyszek added this to the Backlog milestone Apr 14, 2021
@seankhliao
Copy link
Member

what's the output of

openssl s_client -showcerts -connect storage.googleapis.com:443 </dev/null | openssl x509 -text -noout

@mknyszek
Copy link
Contributor

Could you please provide the following additional information?

  1. Is this an issue with the go mod download command?
  2. If so, what modules are you passing to it? I can infer that it's github.com/pierrec/lz4@v2.6.0+incompatible from the error message but I don't want to get ahead of myself.
  3. It seems like you're running this in Docker, so can you please provide the exact set of steps to reproduce? For example, it's possible that there's some bad networking interaction between the go mod command and Docker's networking configuration.

Thanks.

CC @bcmills @jayconrod @matloob via https://dev.golang.org/owners, though it's possible this boils down to an issue in x509.

@alexec
Copy link
Author

alexec commented Apr 14, 2021 

#14 [builder 5/6] RUN openssl s_client -showcerts -connect storage.googleapis.com:443 </dev/null | openssl x509 -text -noout
#14 sha256:3774aff1f325e747b4653c28d2faf1a0aa22627a56163b134baa2be2aecae959
#14 0.409 depth=2 C = US, ST = California, L = Los Altos, O = netSkope Inc, OU = Cert Management, CN = caadmin.netskope.com, emailAddress = certadmin@netskope.com
#14 0.409 verify error:num=19:self signed certificate in certificate chain
#14 0.409 verify return:1
#14 0.409 depth=2 C = US, ST = California, L = Los Altos, O = netSkope Inc, OU = Cert Management, CN = caadmin.netskope.com, emailAddress = certadmin@netskope.com
#14 0.409 verify return:1
#14 0.409 depth=1 C = US, ST = CA, L = Mountain View, O = Intuit, OU = 80c975da8527600ce4c6d21ba2e4c4bc, CN = ca.intuitprd.goskope.com, emailAddress = certadmin@netskope.com
#14 0.409 verify return:1
#14 0.409 depth=0 CN = *.googleapis.com
#14 0.409 verify return:1
#14 0.411 DONE
#14 0.412 Certificate:
#14 0.412     Data:
#14 0.412         Version: 3 (0x2)
#14 0.412         Serial Number:
#14 0.412             b0:b4:c6:0f:21:4d:40:74:a6:6b:e4:c4:5c:7b:8d:26
#14 0.412         Signature Algorithm: sha256WithRSAEncryption
#14 0.412         Issuer: C = US, ST = CA, L = Mountain View, O = Intuit, OU = 80c975da8527600ce4c6d21ba2e4c4bc, CN = ca.intuitprd.goskope.com, emailAddress = certadmin@netskope.com
#14 0.412         Validity
#14 0.412             Not Before: Mar  8 03:01:49 2021 GMT
#14 0.412             Not After : Apr  7 03:01:49 2022 GMT
#14 0.412         Subject: CN = *.googleapis.com
#14 0.412         Subject Public Key Info:
#14 0.412             Public Key Algorithm: rsaEncryption
#14 0.412                 RSA Public-Key: (2048 bit)
#14 0.412                 Modulus:
#14 0.412                     00:cb:51:c7:73:7c:e4:68:fe:73:37:5a:e0:7d:e1:
#14 0.412                     3c:b7:1e:5b:49:54:95:1a:9f:1e:29:29:b1:31:1a:
#14 0.412                     e7:3d:dd:0a:b6:c5:28:45:08:92:21:46:aa:65:af:
#14 0.412                     8b:df:40:ba:bf:e1:ad:93:24:57:06:5d:93:f3:89:
#14 0.412                     1a:ad:20:da:96:cd:e2:35:df:ab:86:44:5a:50:37:
#14 0.412                     f0:11:da:1a:68:8d:59:1a:4b:ab:a0:11:ea:0a:eb:
#14 0.412                     42:7c:39:0a:86:6e:1f:26:cf:31:95:61:e4:8f:2a:
#14 0.412                     e0:8f:ec:25:a7:a8:97:f1:be:a5:2a:05:a3:ff:09:
#14 0.412                     5d:b9:98:d5:75:1f:f3:1d:56:e9:58:dc:4e:1c:a8:
#14 0.412                     c2:0d:91:d1:62:9a:52:45:1e:f1:d0:44:e4:fe:e2:
#14 0.412                     81:79:8b:39:9e:f4:78:bc:30:9b:21:3e:fe:9f:82:
#14 0.412                     22:a5:ba:f9:de:7d:ae:d7:02:38:c3:c3:08:9e:26:
#14 0.412                     2a:cc:3d:33:b0:39:96:63:3d:93:08:e1:5c:ba:6c:
#14 0.412                     82:25:1e:97:7c:53:19:1b:75:1a:be:34:41:07:6c:
#14 0.412                     4a:d1:3a:34:e8:5f:4a:c1:93:4a:96:49:a9:32:8b:
#14 0.412                     f7:c6:90:9d:83:0f:9a:ed:70:50:4b:c8:19:26:83:
#14 0.412                     71:e5:5c:9c:dd:c0:a1:46:f8:78:98:ca:ef:b1:8a:
#14 0.412                     e1:13
#14 0.412                 Exponent: 65537 (0x10001)
#14 0.412         X509v3 extensions:
#14 0.412             X509v3 Basic Constraints: 
#14 0.412                 CA:FALSE
#14 0.412             X509v3 Subject Key Identifier: 
#14 0.412                 F8:C0:2F:F9:11:CF:71:61:DF:E2:9F:9E:4E:FA:91:3E:5C:E6:A5:EF
#14 0.412             X509v3 Subject Alternative Name: 
#14 0.412                 DNS:*.googleapis.com, DNS:googleapis.com
#14 0.412             X509v3 Key Usage: critical
#14 0.412                 Digital Signature, Key Encipherment
#14 0.412             X509v3 Extended Key Usage: 
#14 0.412                 TLS Web Server Authentication, TLS Web Client Authentication
#14 0.412     Signature Algorithm: sha256WithRSAEncryption
#14 0.412          55:a7:f2:dd:47:38:9d:08:09:90:ef:5a:1e:51:ee:51:55:fe:
#14 0.412          39:57:cb:02:7d:0c:fa:af:f4:b3:c2:d2:88:1a:ad:93:cf:cb:
#14 0.412          65:a0:85:2f:70:74:eb:7f:83:eb:00:65:fa:95:bc:24:b8:a5:
#14 0.412          14:52:6f:aa:79:d6:86:95:3a:c0:4a:4b:8e:fd:05:a5:48:86:
#14 0.412          13:00:2f:de:3a:5f:e9:fa:3d:8f:71:cc:94:23:a3:43:d7:d0:
#14 0.412          97:ed:23:5e:ca:ac:ac:71:f3:db:a5:38:ca:5c:da:b0:69:69:
#14 0.412          2a:54:b0:55:75:b4:f8:d8:74:a2:8a:ae:05:cf:fc:f4:dc:76:
#14 0.412          73:e2:7a:2f:81:c1:91:c0:77:be:32:b5:3e:26:49:aa:47:a0:
#14 0.412          cf:c6:e8:f2:39:df:a5:f7:cb:2d:3a:6a:40:6e:e5:a4:ef:d6:
#14 0.412          99:40:86:2e:a6:e3:5e:d1:00:05:ad:ca:c3:9e:5c:e3:76:f4:
#14 0.412          92:a7:28:b9:76:a0:f4:a8:45:ec:03:5d:51:82:48:2c:07:e7:
#14 0.412          54:ab:7b:fe:92:45:37:af:6b:7d:44:71:07:c6:76:43:80:7b:
#14 0.412          7b:c3:84:fb:80:84:a6:bb:55:7f:71:dc:2d:34:88:00:8e:35:
#14 0.412          47:24:80:ba:d8:f7:da:9d:98:bc:91:a8:53:13:30:cc:87:6e:
#14 0.412          97:9a:66:bf
#14 DONE 0.4s

Could you please provide the following additional information?

  1. Is this an issue with the go mod download command?

Correct. Or go build ., whichever is run.

  1. If so, what modules are you passing to it? I can infer that it's github.com/pierrec/lz4@v2.6.0+incompatible from the error message but I don't want to get ahead of myself.

It does seem to be that issue.

I've just realized that I upgraded Docker Desktop yesterday., and it is coincident with that.

  1. It seems like you're running this in Docker, so can you please provide the exact set of steps to reproduce? For example, it's possible that there's some bad networking interaction between the go mod command and Docker's networking configuration.

https://github.com/argoproj-labs/argo-dataflow/blob/main/Dockerfile#L11

HOLD FOR THE MOMENT. I'M GOING TO FACTORY RESET DOCKER

@seankhliao
Copy link
Member

It appears you have a corporate firewall MITMing your https connections, you'll need a an appropriate CA certificate from your IT / Security people to trust all connections.

@alexec
Copy link
Author

alexec commented Apr 14, 2021
edited

Ah presumably you think O = netSkope Inc, is that - I think that is likely. Factory reset did not help

@alexec
Copy link
Author

alexec commented Apr 14, 2021

Boom! Disabling NetSkope fixes the issue. Awesome.

Can I say a big thank you? So many projects you ask for help, and you don't get a reply for ages. This really helped me get to the problem quickly and get back to work.

Kudo to you all!

@alexec alexec closed this as completed Apr 14, 2021
@seankhliao seankhliao mentioned this issue May 27, 2021
Closed
@golang golang locked and limited conversation to collaborators Apr 14, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
4 participants
@alexec @mknyszek @gopherbot @seankhliao