Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/x509: unable to verify proxy self-signed cert #46937

Closed
alanhamlett opened this issue Jun 26, 2021 · 3 comments · Fixed by wakatime/wakatime-cli#469
Closed

crypto/x509: unable to verify proxy self-signed cert #46937

alanhamlett opened this issue Jun 26, 2021 · 3 comments · Fixed by wakatime/wakatime-cli#469
Labels
FrozenDueToAge WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.

Comments

@alanhamlett
Copy link

alanhamlett commented Jun 26, 2021
edited
Loading

What version of Go are you using (go version)?

$ go version
1.16.5

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GOARCH="amd64"
GOOS="windows"

I personally don't use Windows, this issue occurs on users' Windows machines. It most likely also occurs on darwin, linux, etc. too.

What did you do?

We first learned of this with wakatime/wakatime-cli#385. The problem is Go's crypto/tls doesn't select the black-box corporate proxy's cert with the error:
x509: certificate signed by unknown authority

If we disable SSL verification, the request goes through. Python and Git can connect just fine however Curl has some issues too but curl works with the --ssl-no-revoke flag.

My hypotheses:

  • Go thinks the Proxy's cert (installed correctly on the user's machine by their IT) is not valid for the server's domain. Maybe because the Proxy server doesn't rewrite the Host header.
  • The Proxy's cert is valid for domains *, but Go needs a TLD?
  • Some other reason Go thinks the Proxy's cert isn't valid for the end destination that's different from Python/OpenSSL. The error message means a cert for the domain wasn't found, not that one was found invalid.

What did you expect to see?

A valid TLS connection through the proxy.

What did you see instead?

Error message x509: certificate signed by unknown authority
@seankhliao seankhliao changed the title net/http: Unable to verify Proxy self-signed cert crypto/x509: unable to verify proxy self-signed cert Jun 26, 2021
@seankhliao
Copy link
Member

It would be more helpful if we can see the actual cert. I also see you're not checking if you actually get a valid SystemCertPool?

MITM proxies are inline and generate certs on demand, they don't need any host rewrites and the info the user provided indicated it used a standard wildcard cert for *.wakatime.com.

@seankhliao seankhliao added the WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided. label Jun 26, 2021
@alanhamlett
Copy link
Author

It would be more helpful if we can see the actual cert.

@akaustav @bharatpaliwal-169 can you help provide the cert generated by your proxy when connecting to wakatime.com?

you're not checking if you actually get a valid SystemCertPool

We should log on error instead of discarding it here? https://github.com/wakatime/wakatime-cli/blob/1a245fbba32a71aeeebbf08656ebca6ebfed41bf/pkg/api/transport.go#L106

@alanhamlett alanhamlett mentioned this issue Jun 27, 2021
Merged
@alanhamlett alanhamlett reopened this Jun 28, 2021
@alanhamlett
Copy link
Author

alanhamlett commented Jul 5, 2021
edited
Loading

Found the problem, system cert pool is not implemented on Windows:

https://golang.org/src/crypto/x509/cert_pool.go?s=3079:3119#L105

So, this is just a duplicate of #16736 and #18609.

@golang golang locked and limited conversation to collaborators Jul 5, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Log warning on system cert pool error wakatime/wakatime-cli
3 participants
@alanhamlett @gopherbot @seankhliao