-
Notifications
You must be signed in to change notification settings - Fork 17.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto/x509: root_darwin.go does not include trusted root certificates from System/Login keychains #14514
Comments
Currently Golang uses Obviously we may simply run Look at what we are doing with Linux and BSD, in those OSes we have been importing certificates from only trusted locations (means you need root privilege to change them) we might want to include only Just my thought. |
That sounds pretty reasonable, though other suggestions (i.e., #14022, #3905) indicate the Golang project is considering following OpenSSL's conventions by looking up |
Yeah I can see your point, it seems unnecessary to limit the current user from using his/her own keychain as a trusted storage. Also note that if the target machine has |
I have a potential fix here: I'll work on https://golang.org/doc/contribute.html if no one else has a proposed solution. Basically I'm copying all the trusted certificates from the System, Admin & User domains and then filtering out all the ones where the subject and issuer names don't match (not a root CA or self signed cert). |
CL https://golang.org/cl/20351 mentions this issue. |
Allows configuration of the CA certs for the Atlas connection via environment variables `ATLAS_CAFILE` or `ATLAS_CAPATH`. Also catches the workaround for golang/go#14514 in go-rootcerts so that OS X clients behave properly.
Allows configuration of the CA certs for the Atlas connection via environment variables `ATLAS_CAFILE` or `ATLAS_CAPATH`. Also catches the workaround for golang/go#14514 in go-rootcerts so that OS X clients behave properly.
Allows configuration of the CA certs for the Atlas connection via environment variables `ATLAS_CAFILE` or `ATLAS_CAPATH`. Also catches the workaround for golang/go#14514 in go-rootcerts so that OS X clients behave properly.
Allows CA certs to be configured via `ATLAS_CAFILE` and `ATLAS_CAPATH` env vars, and works around golang/go#14514 on OS X.
Allows CA certs to be configured via `ATLAS_CAFILE` and `ATLAS_CAPATH` env vars, and works around golang/go#14514 on OS X.
Hello friends! As you might have guessed from the above linked-issue noise - I made a package today to work around this issue in Packer and Terraform. I'm hoping to convert the basic strategy into a Go patch soon, but in the meantime you can check out the package here: https://github.com/hashicorp/go-rootcerts |
Allows CA certs to be configured via `ATLAS_CAFILE` and `ATLAS_CAPATH` env vars, and works around golang/go#14514 on OS X.
Allows CA certs to be configured via `ATLAS_CAFILE` and `ATLAS_CAPATH` env vars, and works around golang/go#14514 on OS X.
Allows CA certs to be configured via `ATLAS_CAFILE` and `ATLAS_CAPATH` env vars, and works around golang/go#14514 on OS X.
Hi folks - great to see @hinman's patch landing, thank you for that work! Because it's a |
New bug. |
Allows CA certs to be configured via `ATLAS_CAFILE` and `ATLAS_CAPATH` env vars, and works around golang/go#14514 on OS X.
@phinze Yeah, I'm in the same boat. The |
@grep-awesome This issue is closed. Please open a new issue or discuss this in a forum (https://golang.org/wiki/Questions). |
Change https://golang.org/cl/227037 mentions this issue: |
go version go1.6 darwin/amd64
andgo version go1.5.3 darwin/amd64
.On OS X Yosemite, this issue can be mitigated by installing the certificate into SystemRootCertificates.keychain via
/usr/bin/security
from the terminal:However, on El Capitan this is no longer possible without turning off security protections enabled by Apple.
execSecurityRoots
should try to load additional certificates from the System keychain located at/Library/Keychains/System.keychain
, and the Login keychain (~/Library/Keychains/login.keychain
).This bug makes distributing Go clients (especially 3rd-party developed) difficult in organizations with an internal PKI.
The text was updated successfully, but these errors were encountered: