Yes - look like it is for slightly different reasons. Apple have decided on a new policy for verifying certificates and the certificate must have either two (younger certs) or three (older certs) valid SCTs. I suspect that you could re-issue your cert to comply with this, but I am not sure about your mechanism for this. It seems though that even if Go 1.18 was patched to let such a failure through - and it isn’t clear that it should be, as per the TODO - that it would not help with AWS as it seems that they don’t have ANY SCTs in their certificates. AWS will have have to re-issue probably all their certificates, which leaves some of us a bit screwed for a while.
This isn’t my area of expertise, but it seems that perhaps Apple have been a bit too aggressive on this. I hazard a guess that what they have implemented is likely correct, but if a company such as Apple makes such a change, I think they should have made more noise about it, so that other companies knew about the change.
So, a combination of OSX 12.3 with Go 1.18 will trigger this, unless you have the ability to re-issue certificates with the requisite number of SCTs. I have no control over most AWS certificates - they are issued by AWS, for AWS. So now, I will have to ask AWS if they can do anything about it. But I can’t see them re-issuing certificates for all their myriad services, overnight.
Jim
PS: I quote the ticket you raised, in case it is useful to others:
Jim,
Looks like we ended up seeing the same problem in a kubernetes test case as well:
-- Dims