crypto/x509: untrusted intermediates are not used on macOS

[mariusgrigoriu]

What version of Go are you using (go version)?

$ go version
go version go1.13.4 darwin/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output

$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/xhp9/Library/Caches/go-build"
GOENV="/Users/xhp9/Library/Application Support/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GONOPROXY=""
GONOSUMDB=""
GOOS="darwin"
GOPATH="/Users/xhp9"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/Cellar/go/1.13.4/libexec"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/Cellar/go/1.13.4/libexec/pkg/tool/darwin_amd64"
GCCGO="gccgo"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/Users/xhp9/src/github.com/nordstrom/kubelogin/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/qy/p4t6xtws5yv8llv3wg15ck9rztrl8v/T/go-build395049258=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

Open http connection to a remote server using internal certificate. Web browsers have no issue accepting the certificate.

A workaround is to set the issuing CA to Always Trust in the keychain. Using system defaults does not work.

Basically this seems to be the same issue as #30471 or #30672 except I get a failure even with CGO_ENABLED=0.

What did you expect to see?

No error.

What did you see instead?

x509: certificate signed by unknown authority

[mariusgrigoriu]

@FiloSottile I think we're still having issues with certificate trust settings on mac os.

[FiloSottile]

Thanks for the report, can you give us the output of GODEBUG=x509roots=1 go test -v -run TestSystemRoots crypto/x509?

[mariusgrigoriu]

The test passes in both cases. However, when the certificate is set to "Use System Defaults" it does not even appear in the debug output. It does appear when set to "Always Trust."

[emberquill]

I'm experiencing the same issue on macOS Mojave, running go 1.13.4.

The certificate chain in our environment has two intermediate CAs between the Root CA and the site certificate. If the site certificate's issuing CA isn't marked as Always Trusted, then trust isn't inherited, even though the Root CA is always trusted.

I was going to post the code snippet that was failing, but even just http.Get("https://www.google.com") fails with the same error.

[FiloSottile]

@emberquill is the intermediate served by the TLS server, or is it relying on finding it in the keychain? Because that's something we don't do (and would be very hard to do with our API): take untrusted certificates from the keychain and pour them into the intermediates pool.

As a workaround you can make sure the server provides a full chain to the root.

[emberquill]

It's an issue with my employer's local network rather than the site I'm trying to access. Our network proxy performs TLS inspection, so traffic ends up signed by an internal CA, and the root and intermediaries are all in the Keychain. The Root CA is always trusted, but the two intermediate CAs are set to "Use System Defaults" in the Keychain and thus trigger this error in Go.

Changing the intermediate CAs to Always Trusted is a sufficient workaround for me.

[FiloSottile]

Can you confirm that the proxy doesn't send the intermediate in the TLS handshake?

[mariusgrigoriu]

I thought I saw an overhaul to how Go interacts with the keychain, but lost the link. Would that change solve this issue?

[rolandshoemaker]

CL 227037 changed how the macOS API is called, but didn't change how intermediates in the keychain are treated, they are still ignored.

[gopherbot]

Change https://golang.org/cl/353132 mentions this issue: crypto/x509: use platform verifier on darwin