x509: certificate signed by unknown authority

[mon...@gmail.com]

Dear all,

As the subject suggests, I got this error when I call tls.LoadX509KeyPair().

In fact, it is one of my software users have this problem. I suggested
to do the following work:

openssl verify /path/to/cert.pem

I don't know if it is the correct way to check this problem. More
precisely, if openssl verify success, does it imply that
tls.LoadX509KeyPair() should not have the problem "x509: certificate
signed by unknown authority"?

Can anyone here help me to figure out a way to solve/locate the root of
the problem?

Regards,
-Monnand

[mon...@gmail.com]

mon...@gmail.com wrote, On 05/22/2012 09:52 PM:
> Dear all,
>
> As the subject suggests, I got this error when I call tls.LoadX509KeyPair().
>
> In fact, it is one of my software users have this problem. I suggested
> to do the following work:
>
> openssl verify /path/to/cert.pem
>
> I don't know if it is the correct way to check this problem. More
> precisely, if openssl verify success, does it imply that
> tls.LoadX509KeyPair() should not have the problem "x509: certificate
> signed by unknown authority"?

Now, this statement is false.

openssl verify /path/to/cert.pem success. But still, I got "x509:
certificate signed by unknown authority" error.

Any thought then?

Regards,
-Monnand

[mon...@gmail.com]

<snip>

> openssl verify /path/to/cert.pem success. But still, I got "x509:
> certificate signed by unknown authority" error.
>
> Any thought then?
>

<snip>

Well. It would be better to provide more information.

0. At first, openssl verify failed
1. We found the certificate authority which should be a trusted authority.
2. We put its .pem file under /etc/pki/tls/certs
3. openssl verify success. But still, we got "x509: certificate signed
by unknown authority"
4. Then I use the following script to generate .crt:
!/bin/sh
#
# Convert PEM Certificate to ca-bundle.crt format
#
# Now this work with *BSD sed as well. fix by komar
test ! $1 && printf "Usage: `basename $0` certificate" && exit 1
# Friendly Name and Underline Friendly Name with equal signs
openssl x509 -in $1 -text -noout | sed -e 's/^
*Subject:.*CN=\([^,]*\).*/\1/ p;t c' -e 'd;:c' -e 's/./=/g'
# Output Fingerprint and swap = for :
openssl x509 -in $1 -noout -fingerprint | sed -e 's/=/: /'
# Output PEM Data:
echo 'PEM Data:'
# Output Certificate
openssl x509 -in $1
# Output Cettificate text swapping Certificate with Certificate Ingredients
openssl x509 -in $1 -text -noout | sed -e 's/^Certificate:/Certificate
Ingredients:/'

5. Append the output to ca-bundle.crt
6. Still, same error

-Monnand

[minux]

On Wed, May 23, 2012 at 10:34 AM, mon...@gmail.com <mon...@gmail.com> wrote:

Well. It would be better to provide more information.

0. At first, openssl verify failed
1. We found the certificate authority which should be a trusted authority.
2. We put its .pem file under /etc/pki/tls/certs
3. openssl verify success. But still, we got "x509: certificate signed by unknown authority"
4. Then I use the following script to generate .crt:

snip 

5. Append the output to ca-bundle.crt
6. Still, same error

On Unix systems (except MacOS X), crypto/x509 finds root certificates in several known

locations: they are listed in src/pkg/crypto/x509/root_unix.go, are you sure that your updated

ca-bundle.crt is one of them?

(FYI, the only ca-bundle.crt is at /etc/pki/tls/certs/ca-bundle.crt)

[mon...@gmail.com]

minux wrote, On 05/22/2012 10:46 PM:
>snip
>
> 5. Append the output to ca-bundle.crt
> 6. Still, same error
>
> On Unix systems (except MacOS X), crypto/x509 finds root certificates in
> several known
> locations: they are listed in src/pkg/crypto/x509/root_unix.go

> <http://golang.org/src/pkg/crypto/x509/root_unix.go>, are you sure that

> your updated
> ca-bundle.crt is one of them?
> (FYI, the only ca-bundle.crt is at /etc/pki/tls/certs/ca-bundle.crt)

Thank you minux!

Yes. That's exactly how we find where to modify the .crt file.

Just a quick reminder: I didn't encounter this problem, a user of my
program did. I asked him if he can find the file
"/etc/ssl/certs/ca-certificates.crt" (which is the first file listed in
the variable certFiles). He said "No". The only .crt file he found
listed in variable certFiles is /etc/pki/tls/certs/ca-bundle.crt (second
one). And it is where he append the certificate.

I didn't read his script, which, according to his description, is used
to convert .pem file to .crt file. However, I think it would be enough
to simply append .pem file to the .crt file without any conversion. I
suggested him to do so.

I'm not sure if I told him a correct way. Because of time difference, he
may not be able to reply my mail soon.

Regards,
-Monnand

[minux]

On Wed, May 23, 2012 at 10:56 AM, mon...@gmail.com <mon...@gmail.com> wrote:

I didn't read his script, which, according to his description, is used to convert .pem file to .crt file. However, I think it would be enough to simply append .pem file to the .crt file without any conversion. I suggested him to do so.

Could you add debug prints to function AppendCertsFromPEM in crypto/x509/cert_pool.go to

see if the desired certificated is indeed parsed correctly?

[mon...@gmail.com]

minux wrote, On 05/22/2012 11:07 PM:
>
> On Wed, May 23, 2012 at 10:56 AM, mon...@gmail.com

> <mailto:mon...@gmail.com> <mon...@gmail.com

> <mailto:mon...@gmail.com>> wrote:
>
> I didn't read his script, which, according to his description, is
> used to convert .pem file to .crt file. However, I think it would be
> enough to simply append .pem file to the .crt file without any
> conversion. I suggested him to do so.
>
> Could you add debug prints to function AppendCertsFromPEM in
> crypto/x509/cert_pool.go to
> see if the desired certificated is indeed parsed correctly?

That's the difficult part of the whole problem: I do not have permission
to access the server. Because it is a production server, it may even not
allow to change any code in go package.

He told me that the program runs correctly on his own computer. But
cannot work with instances from amazon ec2 because of certificate.

I am not able to reproduce the bug on my side. What I am trying to do is
to figure out what's going on there. It seems that he incorrectly used
the file format.

Here is the whole discussion we have about this issue:
https://groups.google.com/forum/?fromgroups#!topic/uniqush/adD8VBM29_U

Really appreciate your help!

Regards,
-Monnand

[minux]

On Wed, May 23, 2012 at 11:15 AM, mon...@gmail.com <mon...@gmail.com> wrote:

minux wrote, On 05/22/2012 11:07 PM:

Could you add debug prints to function AppendCertsFromPEM in

crypto/x509/cert_pool.go to
see if the desired certificated is indeed parsed correctly?

That's the difficult part of the whole problem: I do not have permission to access the server. Because it is a production server, it may even not allow to change any code in go package.

you don't need to change the production program, you can only send a simple

diagnostic program with a custom pem parser (could copy the one from crypto/x509,

but don't ignore any error) to be run with a copy of the certificates on production server

to verify the certificates.

the crypto/x509 package intentionally ignores all decoding errors, so this a wrong

cert file could be the problem.

[mon...@gmail.com]

minux wrote, On 05/22/2012 11:28 PM:
>
> On Wed, May 23, 2012 at 11:15 AM, mon...@gmail.com

> <mailto:mon...@gmail.com> <mon...@gmail.com

I see. I will do it later. Bed time for me.

Thank you very much, minux!

-Monnand

[Cristhian Daniel Parra Trepowski]

Hi All, 

I am the guy with the actual problem. I will take a look to GO's parser now to see if I can quickly parse the certs and then compare them with the ones I have generated. 

Basically, I have a certificate with only the Certificate part (this is from -----BEGIN CERTIFICATE----- ) so i need to produce the proper ASN.1 format. Since I am not very experienced on this, I read a bit about openssl and found a way of doing it using the following command

openssl x509 -in apple-root-ca.pem -text >> /etc/pki/tls/certs/ca-bundle.crt

openssl x509 -in apple-worldwide-dev-rel.pem -text >> /etc/pki/tls/certs/ca-bundle.crt

I have also tried to add the application's push dev certificate to the bundle, and still getting the error. 

openssl x509 -in app-dev-push-certificate-got-from-dev.apple.pem -text >> /etc/pki/tls/certs/ca-bundle.crt

Will update you later with the result of parsing my .pem with the code from crypto/x509/cert_pool.go to

Cheers,  

[Cristhian Daniel Parra Trepowski]

OK, my first code in GO. took me two hours to get it error free (mainly because i was using wrong the import) 

Following it, is the certicate authority tha comes out from parse, and is quite different than those in the ca-bundle.crt. 

package main

import (

"crypto/x509"

"encoding/pem"

"fmt"

"io/ioutil"

)

var certFiles2 = []string{

//"/etc/ssl/certs/ca-certificates.crt", // Linux etc

//"/etc/pki/tls/certs/ca-bundle.crt", // Fedora/RHEL

"/home/uniqush/.ssh/apple-root-ca.pem", // Fedora/RHEL

//"/etc/ssl/ca-bundle.pem", // OpenSUSE

//"/etc/ssl/cert.pem", // OpenBSD

//"/usr/local/share/certs/ca-root-nss.crt", // FreeBSD

}

func main() {

var certpool *x509.CertPool = x509.NewCertPool()

for _, file := range certFiles2 {

pemCerts, err := ioutil.ReadFile(file)

if err == nil {

for len(pemCerts) > 0 {

var block *pem.Block

block, pemCerts = pem.Decode(pemCerts)    

                             

if block == nil {

break

}

if block.Type != "CERTIFICATE" || len(block.Headers) != 0 {

continue

}

                                

cert, err := x509.ParseCertificate(block.Bytes)

                                fmt.Println(cert)

if err != nil {

fmt.Println(err)

continue

}

certpool.AddCert(cert)

}

break

}

}

//fmt.Println(certpool)

}

------OUTPUT STARTS HERE---------

&{[48 130 4 187 48 130 3 163 160 3 2 1 2 2 1 2 48 13 6 9 42 134 72 134 247 13 1 1 5 5 0 48 98 49 11 48 9 6 3 85 4 6 19 2 85 83 49 19 48 17 6 3 85 4 10 19 10 65 112 112 108 101 32 73 110 99 46 49 38 48 36 6 3 85 4 11 19 29 65 112 112 108 101 32 67 101 114 116 105 102 105 99 97 116 105 111 110 32 65 117 116 104 111 114 105 116 121 49 22 48 20 6 3 85 4 3 19 13 65 112 112 108 101 32 82 111 111 116 32 67 65 48 30 23 13 48 54 48 52 50 53 50 49 52 48 51 54 90 23 13 51 53 48 50 48 57 50 49 52 48 51 54 90 48 98 49 11 48 9 6 3 85 4 6 19 2 85 83 49 19 48 17 6 3 85 4 10 19 10 65 112 112 108 101 32 73 110 99 46 49 38 48 36 6 3 85 4 11 19 29 65 112 112 108 101 32 67 101 114 116 105 102 105 99 97 116 105 111 110 32 65 117 116 104 111 114 105 116 121 49 22 48 20 6 3 85 4 3 19 13 65 112 112 108 101 32 82 111 111 116 32 67 65 48 130 1 34 48 13 6 9 42 134 72 134 247 13 1 1 1 5 0 3 130 1 15 0 48 130 1 10 2 130 1 1 0 228 145 169 9 31 145 219 30 71 80 235 5 237 94 121 132 45 235 54 162 87 76 85 236 139 25 137 222 249 75 108 245 7 171 34 48 2 232 24 62 248 80 9 211 127 65 168 152 249 209 202 102 156 36 107 17 208 163 187 228 27 42 195 31 149 158 122 12 164 71 139 91 212 22 55 51 203 196 15 77 206 20 105 209 201 25 114 245 93 14 213 127 95 155 242 37 3 186 85 143 77 93 13 241 100 53 35 21 75 21 89 29 179 148 247 246 156 158 207 80 186 193 88 80 103 143 8 180 32 247 203 172 44 32 111 112 182 63 1 48 140 183 67 207 15 157 61 243 43 73 40 26 200 254 206 181 185 14 217 94 28 214 203 61 181 58 173 244 15 14 0 146 11 177 33 22 46 116 213 60 13 219 98 22 171 163 113 146 71 83 85 193 175 47 65 179 248 251 227 112 205 230 163 76 69 126 31 76 107 80 150 65 137 196 116 98 11 16 131 65 135 51 138 129 177 48 88 236 90 4 50 140 104 179 143 29 222 101 115 255 103 94 101 188 73 216 118 159 51 20 101 161 119 148 201 45 2 3 1 0 1 163 130 1 122 48 130 1 118 48 14 6 3 85 29 15 1 1 255 4 4 3 2 1 6 48 15 6 3 85 29 19 1 1 255 4 5 48 3 1 1 255 48 29 6 3 85 29 14 4 22 4 20 43 208 105 71 148 118 9 254 244 107 141 46 64 166 247 71 77 127 8 94 48 31 6 3 85 29 35 4 24 48 22 128 20 43 208 105 71 148 118 9 254 244 107 141 46 64 166 247 71 77 127 8 94 48 130 1 17 6 3 85 29 32 4 130 1 8 48 130 1 4 48 130 1 0 6 9 42 134 72 134 247 99 100 5 1 48 129 242 48 42 6 8 43 6 1 5 5 7 2 1 22 30 104 116 116 112 115 58 47 47 119 119 119 46 97 112 112 108 101 46 99 111 109 47 97 112 112 108 101 99 97 47 48 129 195 6 8 43 6 1 5 5 7 2 2 48 129 182 26 129 179 82 101 108 105 97 110 99 101 32 111 110 32 116 104 105 115 32 99 101 114 116 105 102 105 99 97 116 101 32 98 121 32 97 110 121 32 112 97 114 116 121 32 97 115 115 117 109 101 115 32 97 99 99 101 112 116 97 110 99 101 32 111 102 32 116 104 101 32 116 104 101 110 32 97 112 112 108 105 99 97 98 108 101 32 115 116 97 110 100 97 114 100 32 116 101 114 109 115 32 97 110 100 32 99 111 110 100 105 116 105 111 110 115 32 111 102 32 117 115 101 44 32 99 101 114 116 105 102 105 99 97 116 101 32 112 111 108 105 99 121 32 97 110 100 32 99 101 114 116 105 102 105 99 97 116 105 111 110 32 112 114 97 99 116 105 99 101 32 115 116 97 116 101 109 101 110 116 115 46 48 13 6 9 42 134 72 134 247 13 1 1 5 5 0 3 130 1 1 0 92 54 153 76 45 120 183 237 140 155 220 243 119 155 242 118 210 119 48 79 193 31 133 131 133 27 153 61 71 55 242 169 155 64 142 44 212 177 144 18 216 190 244 115 155 238 210 100 15 203 121 79 52 216 162 62 249 120 255 107 200 7 236 125 57 131 139 83 32 211 56 196 177 191 154 79 10 107 255 43 252 89 167 5 9 124 23 64 86 17 30 116 211 183 139 35 59 71 163 213 111 36 226 235 209 183 112 223 15 69 225 39 202 241 109 120 237 231 181 23 23 168 220 126 34 53 202 37 213 217 15 214 107 212 162 36 35 17 247 161 172 143 115 129 96 198 27 91 9 47 146 178 248 68 72 240 96 56 158 21 245 61 38 103 32 138 51 106 247 13 130 207 222 235 163 47 249 83 106 91 100 192 99 51 119 247 58 7 44 86 235 218 15 33 14 218 186 115 25 79 181 217 54 127 193 135 85 217 167 153 185 50 66 251 216 213 113 158 126 161 82 183 27 189 147 66 36 18 42 199 15 29 182 77 156 94 99 200 75 128 23 80 170 138 213 218 228 252 208 9 7 55 176 117 117 33] [48 130 3 163 160 3 2 1 2 2 1 2 48 13 6 9 42 134 72 134 247 13 1 1 5 5 0 48 98 49 11 48 9 6 3 85 4 6 19 2 85 83 49 19 48 17 6 3 85 4 10 19 10 65 112 112 108 101 32 73 110 99 46 49 38 48 36 6 3 85 4 11 19 29 65 112 112 108 101 32 67 101 114 116 105 102 105 99 97 116 105 111 110 32 65 117 116 104 111 114 105 116 121 49 22 48 20 6 3 85 4 3 19 13 65 112 112 108 101 32 82 111 111 116 32 67 65 48 30 23 13 48 54 48 52 50 53 50 49 52 48 51 54 90 23 13 51 53 48 50 48 57 50 49 52 48 51 54 90 48 98 49 11 48 9 6 3 85 4 6 19 2 85 83 49 19 48 17 6 3 85 4 10 19 10 65 112 112 108 101 32 73 110 99 46 49 38 48 36 6 3 85 4 11 19 29 65 112 112 108 101 32 67 101 114 116 105 102 105 99 97 116 105 111 110 32 65 117 116 104 111 114 105 116 121 49 22 48 20 6 3 85 4 3 19 13 65 112 112 108 101 32 82 111 111 116 32 67 65 48 130 1 34 48 13 6 9 42 134 72 134 247 13 1 1 1 5 0 3 130 1 15 0 48 130 1 10 2 130 1 1 0 228 145 169 9 31 145 219 30 71 80 235 5 237 94 121 132 45 235 54 162 87 76 85 236 139 25 137 222 249 75 108 245 7 171 34 48 2 232 24 62 248 80 9 211 127 65 168 152 249 209 202 102 156 36 107 17 208 163 187 228 27 42 195 31 149 158 122 12 164 71 139 91 212 22 55 51 203 196 15 77 206 20 105 209 201 25 114 245 93 14 213 127 95 155 242 37 3 186 85 143 77 93 13 241 100 53 35 21 75 21 89 29 179 148 247 246 156 158 207 80 186 193 88 80 103 143 8 180 32 247 203 172 44 32 111 112 182 63 1 48 140 183 67 207 15 157 61 243 43 73 40 26 200 254 206 181 185 14 217 94 28 214 203 61 181 58 173 244 15 14 0 146 11 177 33 22 46 116 213 60 13 219 98 22 171 163 113 146 71 83 85 193 175 47 65 179 248 251 227 112 205 230 163 76 69 126 31 76 107 80 150 65 137 196 116 98 11 16 131 65 135 51 138 129 177 48 88 236 90 4 50 140 104 179 143 29 222 101 115 255 103 94 101 188 73 216 118 159 51 20 101 161 119 148 201 45 2 3 1 0 1 163 130 1 122 48 130 1 118 48 14 6 3 85 29 15 1 1 255 4 4 3 2 1 6 48 15 6 3 85 29 19 1 1 255 4 5 48 3 1 1 255 48 29 6 3 85 29 14 4 22 4 20 43 208 105 71 148 118 9 254 244 107 141 46 64 166 247 71 77 127 8 94 48 31 6 3 85 29 35 4 24 48 22 128 20 43 208 105 71 148 118 9 254 244 107 141 46 64 166 247 71 77 127 8 94 48 130 1 17 6 3 85 29 32 4 130 1 8 48 130 1 4 48 130 1 0 6 9 42 134 72 134 247 99 100 5 1 48 129 242 48 42 6 8 43 6 1 5 5 7 2 1 22 30 104 116 116 112 115 58 47 47 119 119 119 46 97 112 112 108 101 46 99 111 109 47 97 112 112 108 101 99 97 47 48 129 195 6 8 43 6 1 5 5 7 2 2 48 129 182 26 129 179 82 101 108 105 97 110 99 101 32 111 110 32 116 104 105 115 32 99 101 114 116 105 102 105 99 97 116 101 32 98 121 32 97 110 121 32 112 97 114 116 121 32 97 115 115 117 109 101 115 32 97 99 99 101 112 116 97 110 99 101 32 111 102 32 116 104 101 32 116 104 101 110 32 97 112 112 108 105 99 97 98 108 101 32 115 116 97 110 100 97 114 100 32 116 101 114 109 115 32 97 110 100 32 99 111 110 100 105 116 105 111 110 115 32 111 102 32 117 115 101 44 32 99 101 114 116 105 102 105 99 97 116 101 32 112 111 108 105 99 121 32 97 110 100 32 99 101 114 116 105 102 105 99 97 116 105 111 110 32 112 114 97 99 116 105 99 101 32 115 116 97 116 101 109 101 110 116 115 46] [48 130 1 34 48 13 6 9 42 134 72 134 247 13 1 1 1 5 0 3 130 1 15 0 48 130 1 10 2 130 1 1 0 228 145 169 9 31 145 219 30 71 80 235 5 237 94 121 132 45 235 54 162 87 76 85 236 139 25 137 222 249 75 108 245 7 171 34 48 2 232 24 62 248 80 9 211 127 65 168 152 249 209 202 102 156 36 107 17 208 163 187 228 27 42 195 31 149 158 122 12 164 71 139 91 212 22 55 51 203 196 15 77 206 20 105 209 201 25 114 245 93 14 213 127 95 155 242 37 3 186 85 143 77 93 13 241 100 53 35 21 75 21 89 29 179 148 247 246 156 158 207 80 186 193 88 80 103 143 8 180 32 247 203 172 44 32 111 112 182 63 1 48 140 183 67 207 15 157 61 243 43 73 40 26 200 254 206 181 185 14 217 94 28 214 203 61 181 58 173 244 15 14 0 146 11 177 33 22 46 116 213 60 13 219 98 22 171 163 113 146 71 83 85 193 175 47 65 179 248 251 227 112 205 230 163 76 69 126 31 76 107 80 150 65 137 196 116 98 11 16 131 65 135 51 138 129 177 48 88 236 90 4 50 140 104 179 143 29 222 101 115 255 103 94 101 188 73 216 118 159 51 20 101 161 119 148 201 45 2 3 1 0 1] [48 98 49 11 48 9 6 3 85 4 6 19 2 85 83 49 19 48 17 6 3 85 4 10 19 10 65 112 112 108 101 32 73 110 99 46 49 38 48 36 6 3 85 4 11 19 29 65 112 112 108 101 32 67 101 114 116 105 102 105 99 97 116 105 111 110 32 65 117 116 104 111 114 105 116 121 49 22 48 20 6 3 85 4 3 19 13 65 112 112 108 101 32 82 111 111 116 32 67 65] [48 98 49 11 48 9 6 3 85 4 6 19 2 85 83 49 19 48 17 6 3 85 4 10 19 10 65 112 112 108 101 32 73 110 99 46 49 38 48 36 6 3 85 4 11 19 29 65 112 112 108 101 32 67 101 114 116 105 102 105 99 97 116 105 111 110 32 65 117 116 104 111 114 105 116 121 49 22 48 20 6 3 85 4 3 19 13 65 112 112 108 101 32 82 111 111 116 32 67 65] [92 54 153 76 45 120 183 237 140 155 220 243 119 155 242 118 210 119 48 79 193 31 133 131 133 27 153 61 71 55 242 169 155 64 142 44 212 177 144 18 216 190 244 115 155 238 210 100 15 203 121 79 52 216 162 62 249 120 255 107 200 7 236 125 57 131 139 83 32 211 56 196 177 191 154 79 10 107 255 43 252 89 167 5 9 124 23 64 86 17 30 116 211 183 139 35 59 71 163 213 111 36 226 235 209 183 112 223 15 69 225 39 202 241 109 120 237 231 181 23 23 168 220 126 34 53 202 37 213 217 15 214 107 212 162 36 35 17 247 161 172 143 115 129 96 198 27 91 9 47 146 178 248 68 72 240 96 56 158 21 245 61 38 103 32 138 51 106 247 13 130 207 222 235 163 47 249 83 106 91 100 192 99 51 119 247 58 7 44 86 235 218 15 33 14 218 186 115 25 79 181 217 54 127 193 135 85 217 167 153 185 50 66 251 216 213 113 158 126 161 82 183 27 189 147 66 36 18 42 199 15 29 182 77 156 94 99 200 75 128 23 80 170 138 213 218 228 252 208 9 7 55 176 117 117 33] 3 1 0xf840036930 3 2 {[US] [Apple Inc.] [Apple Certification Authority] [] [] [] []  Apple Root CA [{[2 5 4 6] US} {[2 5 4 10] Apple Inc.} {[2 5 4 11] Apple Certification Authority} {[2 5 4 3] Apple Root CA}]} {[US] [Apple Inc.] [Apple Certification Authority] [] [] [] []  Apple Root CA [{[2 5 4 6] US} {[2 5 4 10] Apple Inc.} {[2 5 4 11] Apple Certification Authority} {[2 5 4 3] Apple Root CA}]} 2006-04-25 21:40:36 +0000 UTC 2035-02-09 21:40:36 +0000 UTC 96 [] [] true true -1 [43 208 105 71 148 118 9 254 244 107 141 46 64 166 247 71 77 127 8 94] [43 208 105 71 148 118 9 254 244 107 141 46 64 166 247 71 77 127 8 94] [] [] false [] [[1 2 840 113635 100 5 1]]}

[Cristhian Daniel]

After several comings and goings, I was not able to make my certificate passed the local verification made by the GO language (even when openssl is happy with it). 

Fortunately, Monnand has provided me with an special version of the uniqush server that simply skips this local verification, so I can just move on. 

Hope you guys can take a more closer look to this problem sometime in the future. I am attaching the certificates who were causing my troubles. 

1. apple-rootca.pem --> apple roots CA appended to openssl ca-bundle.crt
2. apple-wwdevrel-ca.pem --> apple world wide developers relations appended to openssl

(both are the trusted issuers of the certificate that we needed to validate)

3. ca-bundle.crt.backup --> original certificates bundle of the server. After appending to it 1 and 2, openssl already can verify the certificate

4. The certificate we were trying to correctly verify (without the key)

Also, some info about my server that might help: 

$ go version

go version go1

$ uname -a

Linux test.liquidjournal.org 2.6.18-164.0.0.0.1.el5xen #1 SMP Thu Sep 3 00:34:43 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux

$ go version

go version go1

$ openssl version

OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

$ openssl version -d

OPENSSLDIR: "/etc/pki/tls"

Best Regards, 

On Wednesday, May 23, 2012 1:04:12 PM UTC+2, Cristhian Daniel Parra Trepowski wrote:

Hi All, 

I am the guy with the actual problem. I will take a look to GO's parser now to see if I can quickly parse the certs and then compare them with the ones I have generated. 

Basically, I have a certificate with only the Certificate part (this is from -----BEGIN CERTIFICATE----- ) so i need to produce the proper ASN.1 format. Since I am not very experienced on this, I read a bit about openssl and found a way of doing it using the following command

openssl x509 -in apple-root-ca.pem -text >> /etc/pki/tls/certs/ca-bundle.crt

openssl x509 -in apple-worldwide-dev-rel.pem -text >> /etc/pki/tls/certs/ca-bundle.crt

I have also tried to add the application's push dev certificate to the bundle, and still getting the error. 

openssl x509 -in app-dev-push-certificate-got-from-dev.apple.pem -text >> /etc/pki/tls/certs/ca-bundle.crt

Will update you later with the result of parsing my .pem with the code from crypto/x509/cert_pool.go to

Cheers,  

On Wednesday, May 23, 2012 3:52:56 AM UTC+2, Monnand wrote:

Dear all,

As the subject suggests, I got this error when I call tls.LoadX509KeyPair().

In fact, it is one of my software users have this problem. I suggested
to do the following work:

openssl verify /path/to/cert.pem

I don't know if it is the correct way to check this problem. More
precisely, if openssl verify success, does it imply that
tls.LoadX509KeyPair() should not have the problem "x509: certificate
signed by unknown authority"?

Can anyone here help me to figure out a way to solve/locate the root of
the problem?

Regards,
-Monnand

--
Cristhian Parra

[fmilo]

I am able to reproduce the error with the following code and on ubuntu 12.01 TLS (latest ami on EC2)

For some reason is not able to parse the /etc/ssl/certs/ca-certficates.crt" and that prevents the use of SSL.

Anyone with more insight on this problem?

package main

import (

"crypto/x509"

"encoding/pem"

"fmt"

"io/ioutil"

)

var certFiles2 = []string{

"/etc/ssl/certs/ca-certificates.crt",     // Linux etc

"/etc/pki/tls/certs/ca-bundle.crt",       // Fedora/RHEL

"/home/uniqush/.ssh/apple-root-ca.pem",   // Fedora/RHEL

"/etc/ssl/ca-bundle.pem",                 // OpenSUSE

"/etc/ssl/cert.pem",                      // OpenBSD

"/usr/local/share/certs/ca-root-nss.crt", // FreeBSD

}

func main() {

var certpool *x509.CertPool = x509.NewCertPool()

for _, file := range certFiles2 {

fmt.Println("Checking ", file)

pemCerts, err := ioutil.ReadFile(file)

if err == nil {

for len(pemCerts) > 0 {

var block *pem.Block

block, pemCerts = pem.Decode(pemCerts)

if block == nil {

fmt.Println("block nil.end")

break

}

if block.Type != "CERTIFICATE" || len(block.Headers) != 0 {

fmt.Println("Invalid block")

continue

}

cert, err := x509.ParseCertificate(block.Bytes)

//fmt.Println(cert)

if err != nil {

fmt.Println(err)

continue

}

_, err = cert.Verify(x509.VerifyOptions{})

if err != nil {

fmt.Println(err)

continue

}

fmt.Println("Valid Certificate Found %d", len(pemCerts))

certpool.AddCert(cert)

}

} else {

fmt.Printf("Error %s: %v\n", file, err)

}

}

//fmt.Println(certpool)

}

[Fabrizio Milo aka misto]

Here is a simple client that shows the error:

package main

import (
"crypto/tls"
"net"
"log"
)


func main() {
conn, err := net.Dial("tcp", "gateway.push.apple.com:2195")

if err != nil {
log.Fatal(err)
}

client := tls.Client(conn, &tls.Config{})

err = client.Handshake()

if err != nil {
log.Fatal(err)
}
}


On my linux box I receive:
2012/06/28 23:15:16 x509: certificate signed by unknown authority
exit status 1

On my mac box (where it works)
I receive:

2012/06/28 16:14:49 remote error: handshake failure

My guess at this point is that there could be something funny inside

http://golang.org/src/pkg/crypto/x509/root_unix.go

initSystemRoots() , roots.AppendCertsFromPEM


In the mean time I solved by ignoring the SSL certificate when
connecting and it works.

Hope this helps.

Fabrizio
--
--------------------------
Luck favors the prepared mind. (Pasteur)

[André Moraes]

Just guessing, but:

The machines that present the error are running Linux

But what about the client machines that don't present the error, what is the OS?

--
André Moraes
http://amoraes.info

[Patrick Mylund Nielsen]

Is everyone having a problem with gateway.push.apple.com, specifically? This issue came up on IRC today, as well, and it seems like there's some issue with the Entrust cert in that chain/the public cert in Linux's ca-certs. At the very least, it seems unrelated to Go.

# openssl s_client -connect gateway.push.apple.com:2195 -showcerts

...140073564632736:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1247:SSL alert number 40...

# curl -I https://gateway.push.apple.com:2195

curl: (35) error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

# firefox https://gateway.push.apple.com:2195

Error code: ssl_error_handshake_failure_alert

# chrome https://gateway.push.apple.com:2195

Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.

It appears to work on Macs, in Go, so presumably the right cert is in the Darwin ca-certs. Curious error, though.

Perhaps somebody with a Mac could extract the public cert and make their own http.Client/cert pool with it?

const entrustCert = `-----BEGIN CERTIFICATE-----                                                                                           

...

-----END CERTIFICATE-----`

func main() {

        cp := x509.NewCertPool()

        cp.AppendCertsFromPEM([]byte(entrustCert))

        t := &http.Transport{

                TLSClientConfig: &tls.Config{RootCAs: cp},

        }

        c := &http.Client{

                Transport: t,

        }

        res, err := c.Get("https://gateway.push.apple.com:2195/")                                                                           

        if err != nil {

                fmt.Println("Error:", err)

        }

        fmt.Println(res)

}

Creating a pool with the im cert from the chain results in a handshake failure in Go as well.

[Patrick Mylund Nielsen]

Correction: It seems to work on Snow Leopard, but not Lion. Looks like you'll need to create your own pool with this issuer's public cert (good), or set InsecureSkipVerify to true in your tls.Config (bad, but maybe a little easier.)

[Adam Langley]

On Thu, Jun 28, 2012 at 8:05 PM, Patrick Mylund Nielsen
<pat...@patrickmylund.com> wrote:
> Correction: It seems to work on Snow Leopard, but not Lion. Looks like
> you'll need to create your own pool with this issuer's public cert (good),
> or set InsecureSkipVerify to true in your tls.Config (bad, but maybe a
> little easier.)

I've attached a patch to workaround this problem. It appears that the
Entrust root certificate that this site depends on is broken: it's not
marked as a CA certificate.

However, even with that fixed, I still get a handshake error. I'm
guess that's because I don't have the correct client-certificate?

If someone who knows about this server can confirm that it actually
solves the problem, then I'll have a ponder about whether we should
land the patch.


Cheers

AGL

[Patrick Mylund Nielsen]

Awesome.

Indeed, it seems to be two issues. Searching for gateway, I found this, which explains the latter:

http://developer.apple.com/library/ios/#DOCUMENTATION/NetworkingInternet/Conceptual/RemoteNotificationsPG/CommunicatingWIthAPS/CommunicatingWIthAPS.html

"The binary interface of the production environment is available through gateway.push.apple.com, port 2195; the binary interface of the sandbox (development) environment is available through gateway.sandbox.push.apple.com, port 2195. You may establish multiple, parallel connections to the same gateway or to multiple gateway instances.

For each interface you should use TLS (or SSL) to establish a secured communications channel. The SSL certificate required for these connections is provisioned through the iOS Provisioning Portal. (See “Provisioning and Development” for details.) To establish a trusted provider identity, you should present this certificate to APNs at connection time using peer-to-peer authentication.

Note: To establish a TLS session with APNs, an Entrust Secure CA root certificate must be installed on the provider’s server. If the server is running Mac OS X, this root certificate is already in the keychain. On other systems, the certificate might not be available. You can download this certificate from the Entrust SSL Certificates website."

[Patrick Mylund Nielsen]

I don't have a Mac, so unfortunately I can't verify this. Somebody said it worked on Snow Leopard on IRC, but according to misto it works (no handshake error) on Snow Leopard when using *another client*, not Go. Presumably that's because that client actually presents the client certificate, and the version of the distribution is insignificant.

[Fabrizio Milo aka misto]

>>> I've attached a patch to workaround this problem. It appears that the
>>> Entrust root certificate that this site depends on is broken: it's not
>>> marked as a CA certificate.

I applied the patch to go tip and recompiled and now it works on my linux box.

>>> However, even with that fixed, I still get a handshake error. I'm
>>> guess that's because I don't have the correct client-certificate?

Yes you need your own client-certificate to connect to the service
(issued by apple)

When is likely to see the patch applied to the main repository?

Thanks for the fast turn around on this problem and to the community
(dave, Patrick) for the support :)

Fabrizio

[Adam Langley]

On Fri, Jun 29, 2012 at 12:58 PM, Fabrizio Milo aka misto
<mist...@gmail.com> wrote:
> When is likely to see the patch applied to the main repository?

Well, the patch is a turd - matching Entrust's public key and
specifically bypassing a check in their case. None the less, I feel
it's probably worth landing.

I expect that it'll land within a few days, but a Go 1.0.3 release may
take a couple of months.


Cheers

AGL

[Monnand]

hi all,

just curious about the work here: did anyone solve this problem?

Regards,
-Monnand

[Patrick Mylund Nielsen]

Yes:  http://code.google.com/p/go/source/detail?r=8241ffc8686e 

[minux]

On Fri, Aug 10, 2012 at 9:20 AM, Monnand <mon...@gmail.com> wrote:

just curious about the work here: did anyone solve this problem?

this has been fixed in the default branch, and i think it has a high probability of being included in

the upcoming Go 1.0.3 release.

http://codereview.appspot.com/6346064 

[Monnand]

Thank you all your guys for your work! Really nice!

Regards,
-Nan