These are the locations that are searched on *BSD machines
// Possible certificate files; stop after finding one.
var certFiles = []string{
"/usr/local/share/certs/ca-root-nss.crt", // FreeBSD/DragonFly
"/etc/ssl/cert.pem", // OpenBSD
"/etc/openssl/certs/ca-certificates.crt", // NetBSD
}
On Tuesday, 30 August 2016 09:55:34 UTC+10, Niloy Debnath wrote:
>
> What version of Go are you using (go version)?
>
> go version devel +e6f9f39 Mon Aug 29 18:25:33 2016 +0000 linux/amd64
> Checkout 1.7 from git master branch and compiled.
>
>
> What operating system and processor architecture are you using (go env)?
>
> GOARCH="amd64"
> GOBIN=""
> GOEXE=""
> GOHOSTARCH="amd64"
> GOHOSTOS="linux"
> GOOS="linux"
> GOPATH="/home/ndebnath/opensource"
> GORACE=""
> GOROOT="/home/ndebnath/golang/go"
> GOTOOLDIR="/home/ndebnath/golang/go/pkg/tool/linux_amd64"
> CC="gcc"
> GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0
> -fdebug-prefix-map=/tmp/go-build614456670=/tmp/go-build
> -gno-record-gcc-switches"
> CXX="g++"
> CGO_ENABLED="1"
>
> What did you do?
>
> Install CAcert on FreeBSD system. I placed the certificate in
> /etc/ssl/certs, calculated the hash
> and then created a symlink from /etc/ssl/certs/.0 to cacert.pem.
>
> Now the problem is fetch doesn't even look there. It only looks at
> /usr/local/share/certs/ca-root-nss.crt. So if I remove cert.pem then
> getting below error,
>
> Certificate verification failed for
> /C=xx/ST=xx/OU=Server/L=unknown/CN=localhost
> 91426:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> verify
> failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:974:
> fetch: https://ip:port/v1/agent/checks: Authentication error
>
> And other https request is not going through because of "x509: certificate
> signed by unknown authority".
>
> During investigation I have seen that go does not checks for
> /etc/ssl/certs/ location files if symbolic link for nss root exist (
> https://golang.org/src/crypto/x509/root_unix.go: Line 32). If I comment
> out this return statement then it worked for me.
>
> What did you expect to see?
>
> Both, systems default ca cert and ca files inside /etc/ssl/certs/ location
> should work together on FreeBSD.
>
> What did you see instead?
>
> ca file at /etc/ssl/certs/ location is not getting validated when system
> default ca exist.
>
--
You received this message because you are subscribed to the Google Groups
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to golang-nuts+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
