crypto/x509: darwin only loads system.root keychain should also load system keychain

[jostockley]

Please answer these questions before submitting your issue. Thanks!

1. What version of Go are you using (go version)?
   1.6
2. What operating system and processor architecture are you using (go env)?
   amd64 darwin El Capitan
3. What did you do?
   I am trying to run minikube start on a mac running el capitan. I am inside my corporate network and they have a TLS man-in-the-middle box between the internal network and the internet so that when a TLS connection is made to an internet site, it generates an SSL certificate signed by the corporate root CA. This is installed in my Mac in the system keychain since it is not possible to install trusted CA root certs in the system.root keychain. However, in src/crypto/x509/root_darwin.go I see this:

func execSecurityRoots() (*CertPool, error) {
        cmd := exec.Command("/usr/bin/security", "find-certificate", "-a", "-p", "/System/Library/Keychains/SystemRootCertificates.keychain")
        data, err := cmd.Output()
        if err != nil {
                return nil, err
        }

        roots := NewCertPool()
        roots.AppendCertsFromPEM(data)
        return roots, nil
}

I believe the code should also load certificates from /System/Library/Keychains/SystemCACertificates.keychain

so as to pick up any user installed root certificates.

[bradfitz]

I suspect this is a dup of #14514 which was fixed for Go 1.7. Can you verify?

[jostockley]

I don't see any difference using 1.7rc3, here's my example:

package main

import (
    "log"
    "net/http"
)

func main() {
    _, err := http.Get("https://storage.googleapis.com/minikube/releases.json")
    if err != nil {
        log.Fatal(err)
    }
}

The certificate sent by googleapis is intercepted by our corporate mitm server and a substitute certificate is generated and signed by our internal enterprise intermediate CA SSL which is in turn signed by the internal enterprise CA Root. The program fails with this error:

2016/07/29 11:49:35 Get https://storage.googleapis.com/minikube/releases.json: x509: certificate signed by unknown authority

If I connect my mac to an outside network (such as Starbucks WIFI) the program runs successfully.

[josharian]

The code quoted is for toolchains without cgo. Do you have cgo?

It could well be that the fix you suggest is correct, which would be great. I didn't find that file when I was working on https://codereview.appspot.com/22020045, and I experienced the exact same problem at the time, with a corp cert.

[bradfitz]

@jostockley, could you answer Josh's question? Are you using cgo?

[jostockley]

This was a while ago now, so I tried my test again. I'm using go installed on my Mac using homebrew.
How do I tell if its cgo or regular go??

$ more https.go
package main

import (
    "log"
    "net/http"
)

func main() {
    _, err := http.Get("https://storage.googleapis.com/minikube/releases.json")
    if err != nil {
        log.Fatal(err)
    }
}

$ go version
go version go1.7.4 darwin/amd64
$ go run https.go
2017/01/06 17:10:17 Get https://storage.googleapis.com/minikube/releases.json: x509: certificate signed by unknown authority
exit status 1

[bradfitz]

When you filed a bug, the issue template requested that you paste the output of go env. That would contain the answer.

[jostockley]

So that is what the (go env) meant. It might be better if it said explicity to run the go env command.
Anyhow, here's the output from the go I have from homebrew:

GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOOS="darwin"
GOPATH="/Users/stockj3/work"
GORACE=""
GOROOT="/usr/local/Cellar/go/1.7.4_1/libexec"
GOTOOLDIR="/usr/local/Cellar/go/1.7.4_1/libexec/pkg/tool/darwin_amd64"
CC="clang"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/n2/9tk23c5d1bbb8tkpwz_w9pfmm97_88/T/go-build030846639=/tmp/go-build -gno-record-gcc-switches -fno-common"
CXX="clang++"
CGO_ENABLED="1"

[bradfitz]

Okay, so you have cgo.

I guess the next question is whether the changes during Go 1.8 helped this or not.

Could you try Go 1.8beta2? https://golang.org/dl/#go1.8beta2

$ go get golang.org/x/build/version/go1.8beta2
$ go1.8beta2 download
$ go1.8beta2 run https.go

[jostockley]

Problem still exists:

$ go1.8beta2 env
GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOOS="darwin"
GOPATH="/Users/stockj3/work"
GORACE=""
GOROOT="/Users/stockj3/sdk/go1.8beta2"
GOTOOLDIR="/Users/stockj3/sdk/go1.8beta2/pkg/tool/darwin_amd64"
GCCGO="gccgo"
CC="clang"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/n2/9tk23c5d1bbb8tkpwz_w9pfmm97_88/T/go-build809517524=/tmp/go-build -gno-record-gcc-switches -fno-common"
CXX="clang++"
CGO_ENABLED="1"
PKG_CONFIG="pkg-config"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
$ go1.8beta2 run https.go
2017/01/06 17:42:26 Get https://storage.googleapis.com/minikube/releases.json: x509: certificate signed by unknown authority
exit status 1