Skip to content

crypto/x509: unable to verify proxy self-signed cert #46937

New issue
New issue
Closed
wakatime/wakatime-cli
#469
Closed
crypto/x509: unable to verify proxy self-signed cert#46937
wakatime/wakatime-cli
#469
Labels
FrozenDueToAgeWaitingForInfoIssue is not actionable because of missing required information, which needs to be provided.
@alanhamlett

Description

@alanhamlett
alanhamlett
opened on Jun 26, 2021 · edited by alanhamlett

What version of Go are you using (go version)?

$ go version
1.16.5

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GOARCH="amd64"
GOOS="windows"

I personally don't use Windows, this issue occurs on users' Windows machines. It most likely also occurs on darwin, linux, etc. too.

What did you do?

We first learned of this with wakatime/wakatime-cli#385. The problem is Go's crypto/tls doesn't select the black-box corporate proxy's cert with the error:
x509: certificate signed by unknown authority

If we disable SSL verification, the request goes through. Python and Git can connect just fine however Curl has some issues too but curl works with the --ssl-no-revoke flag.

My hypotheses:

  • Go thinks the Proxy's cert (installed correctly on the user's machine by their IT) is not valid for the server's domain. Maybe because the Proxy server doesn't rewrite the Host header.
  • The Proxy's cert is valid for domains *, but Go needs a TLD?
  • Some other reason Go thinks the Proxy's cert isn't valid for the end destination that's different from Python/OpenSSL. The error message means a cert for the domain wasn't found, not that one was found invalid.

What did you expect to see?

A valid TLS connection through the proxy.

What did you see instead?

Error message x509: certificate signed by unknown authority

Activity

seankhliao
changed the title [-]net/http: Unable to verify Proxy self-signed cert[/-] [+]crypto/x509: unable to verify proxy self-signed cert[/+] on Jun 26, 2021
seankhliao

seankhliao commented on Jun 26, 2021

@seankhliao
seankhliao
on Jun 26, 2021
Member

It would be more helpful if we can see the actual cert. I also see you're not checking if you actually get a valid SystemCertPool?

MITM proxies are inline and generate certs on demand, they don't need any host rewrites and the info the user provided indicated it used a standard wildcard cert for *.wakatime.com.

seankhliao
added
WaitingForInfoIssue is not actionable because of missing required information, which needs to be provided.
on Jun 26, 2021
alanhamlett

alanhamlett commented on Jun 27, 2021

@alanhamlett
alanhamlett
on Jun 27, 2021
Author

It would be more helpful if we can see the actual cert.

@akaustav @bharatpaliwal-169 can you help provide the cert generated by your proxy when connecting to wakatime.com?

you're not checking if you actually get a valid SystemCertPool

We should log on error instead of discarding it here? https://github.com/wakatime/wakatime-cli/blob/1a245fbba32a71aeeebbf08656ebca6ebfed41bf/pkg/api/transport.go#L106

alanhamlett
mentioned this on Jun 27, 2021
alanhamlett
closed this as completedin #469on Jun 27, 2021
alanhamlett
reopened this on Jun 28, 2021
alanhamlett

alanhamlett commented on Jul 5, 2021

@alanhamlett
alanhamlett
on Jul 5, 2021 · edited by alanhamlett
Author

Found the problem, system cert pool is not implemented on Windows:

https://golang.org/src/crypto/x509/cert_pool.go?s=3079:3119#L105

So, this is just a duplicate of #16736 and #18609.

alanhamlett
closed this as completedon Jul 5, 2021
golang
locked and limited conversation to collaborators on Jul 5, 2022
gopherbot
added
FrozenDueToAge
on Jul 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    FrozenDueToAgeWaitingForInfoIssue is not actionable because of missing required information, which needs to be provided.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      Participants

      @alanhamlett@gopherbot@seankhliao

      Issue actions
        crypto/x509: unable to verify proxy self-signed cert · Issue #46937 · golang/go