Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/tls: include more details when issuing "certificate signed by unknown authority" error #4619

Closed
davecheney opened this issue Jan 5, 2013 · 9 comments
Closed

crypto/tls: include more details when issuing "certificate signed by unknown authority" error #4619

davecheney opened this issue Jan 5, 2013 · 9 comments
Labels
FrozenDueToAge
Milestone
Go1.1

Comments

@davecheney
Copy link
Contributor 

What steps will reproduce the problem?

# go get -v code.google.com/p/go.codereview/cmd/hgpatch
package code.google.com/p/go.codereview/cmd/hgpatch: Get
https://code.google.com/p/go/source/checkout?repo=codereview: x509: certificate signed
by unknown authority

What is the expected output? What do you see instead?

Package installation succeeds

Please use labels and text to provide additional information.

I believe this is a failure of the crypto/tls package to locate the ca-certs.txt file on
this machine. Doing the checkout manually produces

# hg clone https://code.google.com/p/go.codereview code.google.com/p/go.codereview      
   
warning: code.google.com certificate with fingerprint
ca:5e:a3:f8:40:90:6b:ea:25:19:6f:a8:a1:82:bb:6c:6b:2d:96:85 not verified (check
hostfingerprints or web.cacerts config setting)
requesting all changes


# uname -a
FreeBSD raspberry-pi.local 10.0-CURRENT FreeBSD 10.0-CURRENT #0 r244906M: Sat Jan  5
01:14:23 JST 2013    
aoyama@fbs.local:/usr/obj-rpi-clang/arm.armv6/usr/src/sys/RPI-B-test11  arm
@minux
Copy link
Member

minux commented Jan 5, 2013

Comment 1:

you need to install the root-certificates (package security/ca_root_nss in ports)
or just copy the one from  another machine.
I'm curious as why FreeBSD doesn't include a copy of them in the base system.
It seems all *BSD do the same (at least NetBSD base doesn't bundle the certificates)

@minux
Copy link
Member

minux commented Jan 5, 2013

Comment 2:

I wonder if we should change the error message to say:
x509: certificate signed by unknown authority (system root certificates not found)

@davecheney
Copy link
Contributor Author

Comment 3:

I think that we should. crypto/tls is searching the system ca store on
our behalf, so I think it is acceptable to disclose this in the error
message.
+ cc: agl

@gopherbot
Copy link

Comment 4 by leterip:

this issue can also be triggered on OS X if the package was built with cgo disabled.
http://pastie.org/private/bwybpaa8y1mndczkqhvsa

@gopherbot
Copy link

Comment 5 by thpickert:

I have the same issue in OS X 10.7.5. 'hg clone' works, but 'go get' fails. In IRC,
davecheney suggested that's because Mercurial treats the problem as a warning, whereas
the go tools treat it as an error.
I haven't gotten any workaround to do the trick for me, so I'll have to go about it
manually for now.

@rsc
Copy link
Contributor

rsc commented Jan 30, 2013

Comment 6:

Labels changed: added priority-later, removed priority-triage.

@minux
Copy link
Member

minux commented Jan 30, 2013

Comment 7:

really add agl@ to cc this time.

Owner changed to @agl.

@minux
Copy link
Member

minux commented Jan 30, 2013

Comment 8:

ouch, sorry.

Owner changed to ---.

@agl
Copy link
Contributor

agl commented Jan 30, 2013

Comment 9:

crypto/x509 now says "x509: failed to load system roots and no roots provided".
Fixed, I think?

Status changed to Fixed.

@rsc rsc added this to the Go1.1 milestone Apr 14, 2015
@rsc rsc removed the go1.1 label Apr 14, 2015
@golang golang locked and limited conversation to collaborators Jun 24, 2016
This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
Go1.1
Development

No branches or pull requests
5 participants
@davecheney @agl @rsc @minux @gopherbot