2 way ssl works with Nginx but not my go server

130 views
Skip to first unread message

ChrisLu

unread,
Feb 12, 2016, 4:39:02 PM2/12/16
to golang-nuts
This is trying to implement a 2 way ssl connection. I have been fighting this for a week and it seems my go (1.5.3) code problem.

The attached certFile, keyFile, and caFile have been tested with nginx and curl. They work fine. And yes, the CA file are locally generated.

However, when connecting from curl to the server, this vague error comes out:

2016/02/12 13:19:09 http: TLS handshake error from [::1]:64778: tls: failed to verify client's certificate: x509: certificate signed by unknown authority


I created the tlsConfig this way(skipping err checking for easier reading):

    cert, _ := tls.LoadX509KeyPair(certFile, keyFile)
    // Load CA cert
    caCert, _ := ioutil.ReadFile(caFile)
    caCertPool := x509.NewCertPool()
    caCertPool.AppendCertsFromPEM(caCert)

    // Create tls config
    tlsConfig := &tls.Config{
        Certificates:       []tls.Certificate{cert},
        RootCAs:            caCertPool,
        ClientAuth:         tls.RequireAndVerifyClientCert, // server side setting
        InsecureSkipVerify: false,                          // client side setting
    }
    tlsConfig.BuildNameToCertificate()

    listener, err = tls.Listen("tcp", listenOn, tlsConfig)
    http.Serve(listener, masterMux)

localhost.cer
localhost.key
ca.cer
nginx.conf

Chris Lu

unread,
Feb 12, 2016, 4:55:01 PM2/12/16
to golang-nuts
Resolved! Thanks for the direct answer from Anmol.

I should use tls.Config.ClientCAs not RootCAs.

And I should have asked earlier...

Chris


--
You received this message because you are subscribed to a topic in the Google Groups "golang-nuts" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/golang-nuts/hbxRc7WJqCo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to golang-nuts...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Anmol Sethi

unread,
Feb 12, 2016, 4:56:07 PM2/12/16
to Chris Lu, golang-nuts
Sorry, I forgot I have to reply all to get the message sent to the mailing list.
> You received this message because you are subscribed to the Google Groups "golang-nuts" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages