crypto/x509: root_darwin.go does not include trusted root certificates from System/Login keychains

[raszi]

This is a bug for tracking the work on the certificate handling in the not cgo version of go.

Intentionally copied over the original bug description from here #14514.

1. Tested on go version go1.6 darwin/amd64 and go version go1.5.3 darwin/amd64.
2. OS X Yosemite, OS X El Capitan
3. I attempted to connect to a TLS service with a certificate signed by an internal, enterprise certificate authority. The CA certificate was added to the System keychain.
4. I expected to be able to connect to the TLS service without any issue as the certificate is signed by a CA I trust.
5. The program failed to connect to the TLS service, because the CA certificate that issued the certificate is not installed in the SystemRootCertificates.keychain that Go loads trusted roots from.

On OS X Yosemite, this issue can be mitigated by installing the certificate into SystemRootCertificates.keychain via /usr/bin/security from the terminal:

sudo security add-trusted-cert -k /System/Library/Keychains/SystemRootCertificates.keychain <certificate>

However, on El Capitan this is no longer possible without turning off security protections enabled by Apple.

execSecurityRoots should try to load additional certificates from the System keychain located at /Library/Keychains/System.keychain, and the Login keychain (~/Library/Keychains/login.keychain).

This bug makes distributing Go clients (especially 3rd-party developed) difficult in organizations with an internal PKI.

[josharian]

I'm really glad to see the non-cgo version of certs getting some careful attention.

[mastercactapus]

@raszi Give 1.9rc2 a try, it should already have the fix for this.
https://go-review.googlesource.com/c/36941

[lmayorga1980]

I recompiled golang go version devel +165c15afa3 Fri Sep 15 17:29:51 2017 +0000 darwin/amd64 and compiled my own version of Packer hashicorp/packer#5230 but still got the x509 error.

* Post-processor failed: Failed to start import from s3://<some-bucket>/packer-import-1505501667.ova: RequestError: send request failed
caused by: Post https://ec2.us-east-1.amazonaws.com/: x509: certificate signed by unknown authority

OSX: 10.12.6 (16G29)

Any advice on how to get a workaround.

[mastercactapus]

@lmayorga1980 is that with, or without, cgo disabled? (try setting CGO_ENABLED=0 when building)

[lmayorga1980]

I didn't 😢 . I will try again when building go.

[mastercactapus]

Set CGO_ENABLED=0 when building Packer (or whichever app/program you're testing) to get a pure-go version, no need to rebuild Go itself.

[lmayorga1980]

Confirmed. It works for me 👍 🎉 🎈 .

My steps:

1. brew install golang. This will install 1.9 from the binary releases.
2. Recompiled Golang from master branch in OSX Sierra.
3. brew uninstall golang
4. Add my compiled go to the PATH
5. Compiled Hashicorp/Packer from source.

Thanks.

[lmayorga1980]

@mastercactapus Do you know when this will be available in the core go release?

[ianlancetaylor]

@lmayorga1980 I'm not sure whether anything was committed because of this issue, but the 1.10 Go release is scheduled for February 1. https://github.com/golang/go/wiki/Go-Release-Cycle

[ianlancetaylor]

Actually, as far as I can tell from the comments above, this is fixed in 1.9, so it is already in a core Go release. But to get a non-cgo version, you'll have to build it yourself, following the comments above, or as described at https://golang.org/doc/install/source setting CGO_ENABLED=0 in the environment.

I'm going to close this issue because I don't see anything to do. Please comment if you disagree.