certificate issue on darwin

[ProbablyRusty]

Using Vault version 0.5.2, the following works fine on Linux (both CLI and API):

API:

# curl https://my.private.vault.server:8200/v1/sys/seal-status
{"sealed":false,"t":3,"n":5,"progress":0}

CLI:

# export VAULT_ADDR=https://my.private.vault.server:8200
# vault unseal
Vault is already unsealed.

However, on Darwin (OS X 10.11.4 in this case), the API works (ie: the system trusts the cert), but the CLI fails:

API:

# curl https://my.private.vault.server:8200/v1/sys/seal-status
{"sealed":false,"t":3,"n":5,"progress":0}

CLI:

# export VAULT_ADDR=https://my.private.vault.server:8200
# vault unseal
Error checking seal status: Get https://my.private.vault.server:8200/v1/sys/seal-status: x509: certificate signed by unknown authority

I have redacted the server name in all cases here, but the cert is signed by a root CA that is installed on both the example Linux and Darwin clients above (and as you can see from the API examples, is trusted on both the Linux and Darwin clients).

This is from curl -v if it is helpful in isolating the problem to a specific type of cert:

* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

[jefferai]

Unfortunately, this is a Go problem (golang/go#14514); it's possible that rebuilding Vault yourself as a dynamic binary will cause different behavior. Hopefully Go 1.7 will fix this.

[ProbablyRusty]

By the way, I can confirm that compiling Vault 0.5.2 with CGO enabled does successfully work around this issue.

[vishalnayak]

@consultantRR Good to know that you were able to work around the problem!

This issue was reopened by mistake. Closing this again.
Very sorry for the confusion.

[jefferai]

FYI: We switched to a different CA loading package that has explicit support for trying to work around this problem, so in the next release of Vault this may "just work" (without needing to fall back to building yourself with cgo enabled).

[ProbablyRusty]

Fantastic, I look forward to testing.