Bug 256003

Summary: lang/go: seems to ignore system trusted TLS certificates
Product: Ports & Packages Reporter: Lapo Luchini <lapo>
Component: Individual Port(s)Assignee: Dmitri Goutnik <dmgk>
Status: Closed Overcome By Events    
Severity: Affects Some People Flags: bugzilla: maintainer-feedback? (dmgk)
Priority: ---    
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
HTTPS go example
none
add FreeBSD 12.2 default certs dir to list none

Description Lapo Luchini 2021-05-19 15:28:04 UTC
In both net-mgmt/prometheus2, net-mgmt/victoria-metrics and net-mgmt/blackbox_exporter I got a lot of:

  x509: certificate signed by unknown authority

until I installed ca_root_nss.

Is it necessary to use in order to have working X.509 validation in Go?

Or could the Go port made aware of the new system-based TLS certificate trust?

(or, then again, would it be necessary for each single Go-based port to support that?)

Sorry if the question might be silly, but I know very little about Go myself.
Comment 1 Dmitri Goutnik freebsd_committer 2021-05-19 15:44:26 UTC
(In reply to Lapo Luchini from comment #0)
Hi,

This is not really an issue with lang/go. It's up to individual ports to ensure they install all needed dependencies and if these ports need security/ca_root_nss, they need to add a runtime dependency on it.
Comment 2 Lapo Luchini 2021-05-19 20:08:33 UTC
The software I cited are just examples, the actual error is emitted by a Go library:

https://github.com/golang/go/blob/02ce4118219dc51a14680a0c5fa24cf6e73deeed/src/crypto/x509/verify.go#L139

I agree that each and every software can have a local way to define "overrides" for the default TLS root CAs that are accepted, but the default is still something defined directly in the Go language, not in the single software which can easily reproduced.

% ./test
2021/05/19 20:07:25 Get "https://lapo.it/": x509: certificate signed by unknown authority
% sudo pkg install ca_root_nss
% ./test
2021/05/19 20:07:50 &{200 OK 200 HTTP/2.0 2 0 map[Accept-Ranges:[bytes] …
Comment 3 Lapo Luchini 2021-05-19 20:08:56 UTC
Created attachment 225095 [details]
HTTPS go example
Comment 4 Dmitri Goutnik freebsd_committer 2021-05-19 20:56:01 UTC
Perhaps I'm misunderstanding, but if you want to use custom root certs, Go respects OpenSSL's SSL_CERT_FILE and SSL_CERT_DIR [1].

You're correct that Go validates certificates by default and I'm not aware of the way to alter this behavior with environment variables or other flags for compiled binaries. This default is not going to change so ports basically have three options:

(1) add runtime dependency on security/ca_root_nss, or
(2) install custom root certificates, or
(3) disable certificate validation in the code on the HTTP transport level [2].

[1] https://golang.org/pkg/crypto/x509/#SystemCertPool
[2] https://golang.org/pkg/crypto/tls/#Config
Comment 5 Lapo Luchini 2021-05-19 21:23:44 UTC
Created attachment 225099 [details]
add FreeBSD 12.2 default certs dir to list

I think I found the way to fix it.
(building port right now, but I'm pretty sure that's it)
Comment 6 Lapo Luchini 2021-05-19 21:32:07 UTC
Also created a PR upstream:

https://github.com/golang/go/pull/46276
Comment 7 Lapo Luchini 2021-05-21 15:56:47 UTC
Upstream patch was already accepted (as a freeze exception) for (I guess) next 1.17 release, but as summer releases are usually done in August/September, it would probably make sense to apply the local patch I provided in the meanwhile.
Comment 8 Lapo Luchini 2021-09-06 20:04:40 UTC
I checked that "pkg upgrade go" 1.16.7 -> 1.17 solves the issue.

ca_root_nss is not longer a needed dependency.

Sorry about screenshot, but I did test in a quick VM without ssh access:
https://imgur.com/a/ExYQHsP