crypto/tls: Misleading "remote error: tls: certificate required" error when client cert CA not in server's accepted CAs list
379 views
Skip to first unread message
Vinnie Vertongen
Jul 17, 2025, 1:06:25 AMJul 17
to golang-nuts
The `crypto/tls` library will not configure the client certificate if the signing certificate authority is not present in the list provided by the server in `CertificateRequest`. The current implementation causes the `remote error: tls: certificate required` error making debugging the underlying CA issue difficult.
Additional notes:
1. The library code in handshake.go intentionally does not configure the certificate if there is no match
2. The error is as expected `remote error: tls: unknown certificate authority` if you downgrade the client to TLS v1.2
3. The behaviour seems intentional and so I didn't want to raise a bug ticket - but I think this needs an improvement (Config option?) to assist in debugging - it's confusing without reading the library code to understand the issue
```
package main
import (
"crypto/tls"
"fmt"
"log"
"net/http"
)
func main() {
clientCert, err := tls.LoadX509KeyPair("certificate", "key")
if err != nil {
log.Fatalf("Failed to load client certificate: %v", err)
}
tlsConfig := &tls.Config{
Certificates: []tls.Certificate{clientCert},
ServerName: "localhost",
}
client := &http.Client{
Transport: &http.Transport{
TLSClientConfig: tlsConfig,
},
}
resp, err := client.Get("https://localhost:8443")
if err != nil {
log.Printf("TLS Error: %v", err)
return
}
fmt.Printf("%v\n", resp.Status)
}
```
Example HAProxy configuration:
```
global
daemon
defaults
mode http
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
frontend mtls_frontend
# Client certificate CA not present (remote error: tls: certificate required)
bind *:8443 ssl crt /etc/ssl/certs/haproxy-server.pem verify required ca-file /etc/ssl/certs/USERTrust_RSA_Certification_Authority.pem
# Client certificate CA present (success)
#bind *:8443 ssl crt /etc/ssl/certs/haproxy-server.pem verify required ca-file /etc/ssl/certs/chain.pem
default_backend web_servers
backend web_servers
server web1 127.0.0.1:8080 check
```
package main
import (
"crypto/tls"
"fmt"
"log"
"net/http"
)
func main() {
clientCert, err := tls.LoadX509KeyPair("certificate", "key")
if err != nil {
log.Fatalf("Failed to load client certificate: %v", err)
}
tlsConfig := &tls.Config{
Certificates: []tls.Certificate{clientCert},
ServerName: "localhost",
}
client := &http.Client{
Transport: &http.Transport{
TLSClientConfig: tlsConfig,
},
}
resp, err := client.Get("https://localhost:8443")
if err != nil {
log.Printf("TLS Error: %v", err)
return
}
fmt.Printf("%v\n", resp.Status)
}
```
Example HAProxy configuration:
```
global
daemon
defaults
mode http
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
frontend mtls_frontend
# Client certificate CA not present (remote error: tls: certificate required)
bind *:8443 ssl crt /etc/ssl/certs/haproxy-server.pem verify required ca-file /etc/ssl/certs/USERTrust_RSA_Certification_Authority.pem
# Client certificate CA present (success)
#bind *:8443 ssl crt /etc/ssl/certs/haproxy-server.pem verify required ca-file /etc/ssl/certs/chain.pem
default_backend web_servers
backend web_servers
server web1 127.0.0.1:8080 check
```
Michael Oguidan
Jul 19, 2025, 6:19:37 AMJul 19
to golang-nuts
Hi, i will like to follow this with you but i would like to know what's client certificate
Jason E. Aten
Jul 19, 2025, 5:57:09 PMJul 19
to golang-nuts
Hi Michael,
See the 9th bullet point under https://en.wikipedia.org/wiki/Transport_Layer_Security#Client-authenticated_TLS_handshake
and
In short, client certs are just like server certs.
Any cert is a public key signed by a (Certificate Authority) private key.
The corresponding CA public key is used to verify the signature on the client cert (in TLS).
The client cert is then used to verify (during the TLS handshake) that the client
possess the private key corresponding to the client cert public key.
To summarize, client certs, like server certs, are built into TLS.
They provide for mutual authentication.
Most web sites use other forms of client (user) authentication, because of
the hassle involved in configuring a web browser to obtain and deploy client certs.
If you want to play with them, I wrote a convenient tool called selfy that
can readily generate CA key pairs and certs; here:
with description here:
Here is how you use them in code (including password protection checking):
Best,
Jason
Jason
Vinnie Vertongen
Aug 4, 2025, 5:53:46 PMAug 4
to golang-nuts
Hi Jason,
Do you have any thoughts or opinions on the issue?
Kind regards,
Kind regards,
Vinnie
Jason E. Aten
Aug 5, 2025, 12:21:36 AMAug 5
to golang-nuts
Hi Vinnie,
Do you mean the error you got being hard to fathom? I don't have experience with
getting that same error so I cannot really say.
Filing an issue is the only way I know to have it discussed and considered by
a library's maintainers; and even if the current behavior is intended, often times
package author's would like to hear about pain points and sharp edges that can
be sanded.
Best wishes,
Jason
Vinnie Vertongen
Aug 5, 2025, 4:10:29 PMAug 5
to golang-nuts
Hi Jason,
Thanks for coming back to me.
I will raise it as an issue to have it discussed further.
Kind regards,
Vinnie
Reply all
Reply to author
Forward
0 new messages