certificates at /etc/ssl/certs/ getting ignored on FreeBSD

[niloy....@gmail.com]

What version of Go are you using (go version)?

go version devel +e6f9f39 Mon Aug 29 18:25:33 2016 +0000 linux/amd64
Checkout 1.7 from git master branch and compiled.

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/ndebnath/opensource"
GORACE=""
GOROOT="/home/ndebnath/golang/go"
GOTOOLDIR="/home/ndebnath/golang/go/pkg/tool/linux_amd64"
CC="gcc"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build614456670=/tmp/go-build -gno-record-gcc-switches"
CXX="g++"
CGO_ENABLED="1"

What did you do?

Install CAcert on FreeBSD system. I placed the certificate in /etc/ssl/certs, calculated the hash
and then created a symlink from /etc/ssl/certs/.0 to cacert.pem.

Now the problem is fetch doesn't even look there. It only looks at
/usr/local/share/certs/ca-root-nss.crt. So if I remove cert.pem then getting below error,

Certificate verification failed for /C=xx/ST=xx/OU=Server/L=unknown/CN=localhost
91426:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:974:
fetch: https://ip:port/v1/agent/checks: Authentication error

And other https request is not going through because of "x509: certificate signed by unknown authority".

During investigation I have seen that go does not checks for /etc/ssl/certs/ location files if symbolic link for nss root exist (https://golang.org/src/crypto/x509/root_unix.go: Line 32). If I comment out this return statement then it worked for me.

What did you expect to see?

Both, systems default ca cert and ca files inside /etc/ssl/certs/ location should work together on FreeBSD.

What did you see instead?

ca file at /etc/ssl/certs/ location is not getting validated when system default ca exist.

[Niloy Debnath]

[Dave Cheney]

These are the locations that are searched on *BSD machines

// Possible certificate files; stop after finding one.

var certFiles = []string{

        "/usr/local/share/certs/ca-root-nss.crt", // FreeBSD/DragonFly

        "/etc/ssl/cert.pem",                      // OpenBSD

        "/etc/openssl/certs/ca-certificates.crt", // NetBSD

[flynn boxing]

I’m having a similar problem as the above guy so I made a root ca and an intermediate then a server cert for Nguni loader it in Nginx in nginxdir/ssl loaded the ca into Firefox and chromium as trusted cas it went fine visiting my site then distrowatch I went on the sight and it said that it’s not safe so I approved it through my ca then every site I tried going to after said insecure connection certificate only valid for and the search engine site uses htsp and I won’t be able to connect so then. I removed my ca completely from chromium and Firefox and its still not letting me on any sites both the ca trust lists on both browsers aren’t showing my ca but all the trusted ones from Mozilla and its still not letting me get on any sites anyone have a fix for me please help