Getting x509: certificate signed by unknown authority
20,619 views
Skip to first unread message
dsk...@gmail.com
Jan 5, 2014, 3:30:02 AM1/5/14
to golan...@googlegroups.com
Hi,
I'm trying to
resp, err := http.Get("https://api.bitfinex.com/v1/ticker/btcusd")
but I keep getting
err = x509: certificate signed by unknown authority
But when I open the URL in Chrome it tells me the certificate is valid.
I found https://code.google.com/p/go/issues/detail?id=5301 but I have no idea if this is the issue here or how to check that.
I've done
just in case but I don't know if that would make any difference or how to tell Go to use that new package for SSL certificate verification.
Any suggestions for how to fix or work around this?
Thanks!
David
Alex Zorin
Jan 5, 2014, 4:11:10 AM1/5/14
to golan...@googlegroups.com, dsk...@gmail.com
Weird, http://play.golang.org/p/6z0qP7mLYt works just fine on my machine.
What happens if you curl https://api.bitfinex.com/v1/ticker/btcusd? Certificate error as well?
Alex
David de Kloet
Jan 5, 2014, 4:16:33 AM1/5/14
to Alex Zorin, golan...@googlegroups.com
On Sun, Jan 5, 2014 at 10:11 AM, Alex Zorin <al...@zor.io> wrote:
Weird, http://play.golang.org/p/6z0qP7mLYt works just fine on my machine.
Really? For me it gives
panic: Get https://api.bitfinex.com/v1/ticker/btcusd: dial tcp: error reading DNS config: open /etc/resolv.conf: No such file or directory
Oh, on your machine you say?
What version are you using? I have go1.2 darwin/amd64. Maybe it just doesn't work on Mac?
No, curl works just fine for me.
David de Kloet
Jan 5, 2014, 1:44:42 PM1/5/14
to Alex Zorin, golan...@googlegroups.com
Maybe it just doesn't work on Mac?
I just tried it on Windows and it works fine there.
Any idea why it wouldn't work on Mac or just not on my machine?
Kevin P
Jan 5, 2014, 3:10:30 PM1/5/14
to golan...@googlegroups.com, dsk...@gmail.com
I'm pretty sure this has something to do with the cert store on the mac as things changed after 10.7. You may want to check http://golang.org/src/pkg/crypto/x509/root_darwin.go.
So i'm Go doesn't verify cert with the system cert store.
David de Kloet
Jan 5, 2014, 3:20:45 PM1/5/14
to Kevin P, golan...@googlegroups.com
Thanks for the link but I'm not sure what I can check about it.
I'm on OSX 10.9.1. Is there anything I can do?
Note that other https URL worked fine so there must also be something different about this URL.
Kevin P
Jan 5, 2014, 3:23:05 PM1/5/14
to golan...@googlegroups.com, Kevin P, dsk...@gmail.com
You could also skip the verification.
import ("net/http"; "crypto/tls")
tr := &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify : true},
}
client := &http.Client{Transport: tr}
resp, err := client.Get("https://someurl:443/)
David de Kloet
Jan 5, 2014, 3:29:20 PM1/5/14
to Kevin P, golan...@googlegroups.com
Ah, thanks for the work around!
It would still be good to have it work in a safe way though.
Josh Bleecher Snyder
Jan 5, 2014, 10:17:02 PM1/5/14
to David de Kloet, Kevin P, golang-nuts
> Ah, thanks for the work around!
>
> It would still be good to have it work in a safe way though.
You can use your own set of root certs with a tls.Config. Setup is
>
> It would still be good to have it work in a safe way though.
something like:
* x509.NewCertPool to create a new cert pool
* AppendCertsFromPEM to add your root certs to the pool
* Create a tls.Config and set RootCAs to your pool
* Call Config's BuildNameToCertificate
* Use the Config in your http.Transport
My working code is bundled with a bunch of other goop at the moment,
but that should be enough to get you started.
-josh
> You received this message because you are subscribed to the Google Groups
> "golang-nuts" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to golang-nuts...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
roger peppe
Jan 6, 2014, 11:02:41 AM1/6/14
to dsk...@gmail.com, golang-nuts
Are you cross-compiling or compiling with cgo disabled, by any chance?
agl
Jan 6, 2014, 11:24:53 AM1/6/14
to golan...@googlegroups.com, dsk...@gmail.com
On Sunday, January 5, 2014 3:30:02 AM UTC-5, dsk...@gmail.com wrote:
I'm trying toresp, err := http.Get("https://api.bitfinex.com/v1/ticker/btcusd")but I keep gettingerr = x509: certificate signed by unknown authorityBut when I open the URL in Chrome it tells me the certificate is valid.I found https://code.google.com/p/go/issues/detail?id=5301 but I have no idea if this is the issue here or how to check that.I've donejust in case but I don't know if that would make any difference or how to tell Go to use that new package for SSL certificate verification.
Chrome (and other browsers) perform lots of crazy workarounds for broken servers which is why this server will appear to work. However, it's fundamentally a server misconfiguration: the server is sending only the leaf certificate and is missing the RapidSSL intermediate[1]. If you try to load the site in Chrome for Android, you'll get a similar error.
Go on Windows uses CAPI for certificate verification and CAPI will use some of the same tricks and make this site appear to function.
The best answer is to get the site fixed. If you can't do that then you could supply a root set in the tls.Config which includes the RapidSSL intermediate[2] as a root.
Cheers
AGL
agl
Jan 6, 2014, 11:26:38 AM1/6/14
to golan...@googlegroups.com, Alex Zorin, dsk...@gmail.com
On Sunday, January 5, 2014 4:16:33 AM UTC-5, David de Kloet wrote:
No, curl works just fine for me.
cURL with OpenSSL should not work if certificate verification is enabled:
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html
Cheers
AGL
David de Kloet
Jan 6, 2014, 2:01:03 PM1/6/14
to agl, golan...@googlegroups.com, Alex Zorin, rogp...@gmail.com, josh...@gmail.com
Thanks everybody!
I've informed the site owners about the problem.
If they don't respond I may try supplying the certificate locally but for now skipping verification is good enough.
I did try cross compiling first but the problems happened on my Mac with a binary also compiled on my Mac. I even tried explicitly enabling cgo.
The curl version on my mac does work fine.
{"mid":"915.505","bid":"915.01","ask":"916.0","last_price":"916.0","timestamp":"1389034691.750301036"}
$ curl -V
curl 7.30.0 (x86_64-apple-darwin13.0) libcurl/7.30.0 SecureTransport zlib/1.2.5
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IPv6 Largefile NTLM NTLM_WB SSL libz
Adam Langley
Jan 6, 2014, 2:18:09 PM1/6/14
to David de Kloet, golang-nuts, Alex Zorin, roger peppe, josh...@gmail.com
On Mon, Jan 6, 2014 at 2:01 PM, David de Kloet <dsk...@gmail.com> wrote:
> The curl version on my mac does work fine.
> $ curl https://api.bitfinex.com/v1/ticker/btcusd
> {"mid":"915.505","bid":"915.01","ask":"916.0","last_price":"916.0","timestamp":"1389034691.750301036"}
> $ curl -V
> curl 7.30.0 (x86_64-apple-darwin13.0) libcurl/7.30.0 SecureTransport
Ah, it's built against SecureTransport, not OpenSSL, which explains it.
> The curl version on my mac does work fine.
> $ curl https://api.bitfinex.com/v1/ticker/btcusd
> {"mid":"915.505","bid":"915.01","ask":"916.0","last_price":"916.0","timestamp":"1389034691.750301036"}
> $ curl -V
> curl 7.30.0 (x86_64-apple-darwin13.0) libcurl/7.30.0 SecureTransport
Cheers
AGL
David de Kloet
Jan 7, 2014, 3:02:32 PM1/7/14
to Adam Langley, golang-nuts, Alex Zorin, roger peppe, josh...@gmail.com
The owners have already fixed their setup.
Thanks again, everyone, for the help.
Reply all
Reply to author
Forward
0 new messages