x509: certificate signed by unknown authority using Terminal from Mac

[Constantine Vasil]

I have account in GoDaddy.

Generated certificated using Starfield Technologies option.

I can see https: site from the browse. Calling a service from command line

from Terminal on my Mac I am getting:

"x509: certificate signed by unknown authority"

From Windows I am not getting this message.

What is wrong? 

[Dave Cheney]

What is the URL of the site in question ?

> --
>
>

[Patrick Mylund Nielsen]

Almost certainly that the GoDaddy bundle PEM was not included in the pem file you are using (or is not pointed to using the IntermediateCA directive in Apache). The gd_bundle.crt can be found here: https://certs.godaddy.com/anonymous/repository.seam

If you are using e.g. nginx, append the contents of gd_bundle.crt to your own .crt, e.g. cat gd_bundle.crt >> yourserver.crt, then restart the web server.

You can verify that the chain is included here: https://www.ssllabs.com/ssltest/index.html

--
 
 

[Constantine Vasil]

where to send you the link in private?

[Constantine Vasil]

I am not using nginx, I am using a Golang web server - try to keep it simple.
In GoDaddy for Download Certificate there are options, in this case which one to use:

Apache, nginx or what option? I have -cert.pem and -key.pem in same folder as the executable

and they are referenced from http.ListenAndServeTLS 

the ssllabs returned: 

Chain issues

Incomplete Secure Renegotiation Not supported   ACTION NEEDED

BEAST attack

Vulnerable   INSECURE

Session resumption

No (IDs empty)

This server definitely needs configuration. How to do it?

[Patrick Mylund Nielsen]

It should work if you append the contents of gd_bundle.crt (from https://certs.godaddy.com/anonymous/repository.seam) to the -cert.pem file, e.g. cat gd_bundle.crt >> your-cert.pem, then restart the Go server application. It isn't presenting enough information to the client (i.e. a browser, or a Go client.)

--
 
 

[Constantine Vasil]

I just did this but there is no change in behavior

[agl]

On Saturday, January 12, 2013 2:37:09 PM UTC-5, Constantine Vasil wrote:

I just did this but there is no change in behavior

If it works with a Go client on Windows, but not on Mac, then we might be failing to find the rootstore on OS X. Here's the code that we use for doing this on OS X:  http://golang.org/src/pkg/crypto/x509/root_darwin.go

I'm not a Mac person so I rather have to trust this code.

Additionally, it might be an incomplete chain that CryptoAPI can rebuilt but OS X cannot. Please include either a pointer to the site.

Cheers

AGL

[agl]

On Friday, January 11, 2013 9:27:39 PM UTC-5, Constantine Vasil wrote:

Chain issues

Incomplete Secure Renegotiation Not supported   ACTION NEEDED

Of these, the semi-important one is that we don't support renego ext. It doesn't affect the security of the server because we don't support renegotiation generally but, for the general good of the world, we should. If anyone wants to do this, you will almost certainly manage to do so before me!

Cheers

AGL

[Constantine Vasil]

"x509: certificate signed by unknown authority" message is now gone.

If anyone wants to know here is what I did:

A) Generate a Certificate Signing Request for Apache 2.x

login to your SSH terminal and type:

openssl req -new -newkey rsa:2048 -nodes -keyout <mydomain>.com.key -out <mydomain>.csr -subj "/C=US/ST=CA/L=<my city>/CN=<mydomain>/O=<my company name>/OU=<my domain>"

Generating a 2048 bit RSA private key
................................................................................................................................................................................................................+++
.....................................................................................................................................+++
writing new private key to '<mydomain>.key'
-----

list the directory:
<your>-Mac:$ ls
<mydomain>.csr <mydomain>.key

B) login to GoDaddy, select Startfield certificate authority, copy/paste <mydomain>.csr

C) download <mydomain>.com.crt

D) download sf_bundle.crt and sf_intermediate.crt from

https://certs.starfieldtech.com/anonymous/repository.seam

E) perform following steps:

1. copy <mydomain>.com.crt <mydomain>.com-cert.pem
2. cat sf_bundle.crt >> <mydomain>.com-cert.pem
3. cat sf_intermediate.crt >> <mydomain>.com-cert.pem
4. copy <mydomain>.key <mydomain>.com-key.pem

Only when sf_intermediate.crt is added then "x509: certificate signed by unknown authority" message is gone.

Still got these warnings from  https://www.ssllabs.com/ssltest/index.html:

BEAST attack

Vulnerable   INSECURE

Session resumption

No (IDs empty)

Thank you for all responses. now we have to get rid of all warnings.

[Patrick Mylund Nielsen]

Sorry, I missed that you were using StarField. For GoDaddy you need to append the gd-bundle, for StarField, the sf-bundle. Glad you got it working.

--
 
 

[agl]

On Monday, January 14, 2013 12:36:51 PM UTC-5, Constantine Vasil wrote:

Still got these warnings from  https://www.ssllabs.com/ssltest/index.html:

BEAST attack

Vulnerable   INSECURE

Session resumption

No (IDs empty)

BEAST attack means that ssllabs wants you to prioritize RC4 over AES. You can do this via the tls.Config (http://golang.org/pkg/crypto/tls/#Config) by setting, say:

tlsConfig.CipherSuites = [tls.TLS_RSA_WITH_RC4_128_SHA, tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA, tls.TLS_RSA_WITH_AES_128_CBC_SHA, tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]

The session resumption bit isn't a warning - Go doesn't support session IDs.

Cheers

AGL

[Dave Cheney]

How did you install Go on your mac ? There have been reports that
using Homebrew does not compile with cgo enabled, which may explain
your issue.

> --
>
>

[Constantine Vasil]

how to use tlsConfig.CipherSuites

if I am using this code?

err := http.ListenAndServeTLS(listenAddr, "<myhost>-cert.pem", "<myhost>-key.pem", nil)

[Constantine Vasil]

I just did this:

$ cd go/src
$ ./all.bash

[agl]

On Wednesday, January 16, 2013 10:45:05 AM UTC-5, Constantine Vasil wrote:

how to use tlsConfig.CipherSuites

if I am using this code?

err := http.ListenAndServeTLS(listenAddr, "<myhost>-cert.pem", "<myhost>-key.pem", nil)

There isn't a way to override the defaults with that function. But if you look at the source to that function (http://golang.org/src/pkg/net/http/server.go?s=33156:33247#L1112), you can reproduce those two lines, but set TLSConfig on the http.Server object that you create.

Cheers

AGL

[Constantine Vasil]

I changed my code to:

import (

"crypto/tls"

const listenAddr = "0.0.0.0:443"

        config := &tls.Config{

CipherSuites: []uint16{tls.TLS_RSA_WITH_RC4_128_SHA,

tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,

tls.TLS_RSA_WITH_AES_128_CBC_SHA,

tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},

}

server := &http.Server{Addr: listenAddr, TLSConfig: config}

err := server.ListenAndServeTLS("<myserver>-cert.pem", "<myserver>-key.pem")

but still got the BEAST attack message.

Could you please verify my code?

On Tuesday, January 15, 2013 4:13:13 PM UTC-8, agl wrote:

[agl]

On Wednesday, January 16, 2013 6:20:25 PM UTC-5, Constantine Vasil wrote:

        config := &tls.Config{

CipherSuites: []uint16{tls.TLS_RSA_WITH_RC4_128_SHA,

tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,

tls.TLS_RSA_WITH_AES_128_CBC_SHA,

tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},

}

server := &http.Server{Addr: listenAddr, TLSConfig: config}

err := server.ListenAndServeTLS("<myserver>-cert.pem", "<myserver>-key.pem")

but still got the BEAST attack message.

Could you please verify my code?

Ah, sorry. We actually take the client's ciphersuite preferences so if the ssllabs client says that it prefers AES (which it looks like it does) then we'll pick that. I should add a UseServerCiphersuitePreferences to the tls.Config, but it's not there yet.

Cheers

AGL