FAQ
I'm trying to learn about certificates and trying to get an https client to
use a certificate I made with crypto/x509/generate_cert.go. My server is
http://play.golang.org/p/P-frV4zd6R. Installing the cert into a browser,
the browser is happy with the cert. My client program though
(http://play.golang.org/p/Rzx8oNuXAb) doesn't like it and gives "Get
https://127.0.0.1:8080: x509: certificate signed by unknown authority." I
expected that putting the certificate in Config.RootCAs would make it a
known authority, but obviously not. How can I do this, or what do I need
to learn next?

--

Search Discussions

  • Minux at Nov 1, 2012 at 5:53 pm

    On Fri, Nov 2, 2012 at 1:46 AM, Sonia Keys wrote:

    I'm trying to learn about certificates and trying to get an https client
    to use a certificate I made with crypto/x509/generate_cert.go. My server
    is http://play.golang.org/p/P-frV4zd6R. Installing the cert into a
    browser, the browser is happy with the cert. My client program though (
    http://play.golang.org/p/Rzx8oNuXAb) doesn't like it and gives "Get
    https://127.0.0.1:8080: x509: certificate signed by unknown authority."
    I expected that putting the certificate in Config.RootCAs would make it a
    known authority, but obviously not. How can I do this, or what do I need
    to learn next?
    i think you will need a cert with basic constraint CA set to true to be
    usable as Config.RootCAs.

    --
  • Sonia Keys at Nov 1, 2012 at 5:59 pm
    I wondered about that. I tried adding

    BasicConstraintsValid: true,

    IsCA: true,

    to the template in generate_cert.go, but that didn't help.
    On Thursday, November 1, 2012 1:53:17 PM UTC-4, minux wrote:


    On Fri, Nov 2, 2012 at 1:46 AM, Sonia Keys <soni...@gmail.com<javascript:>
    wrote:
    I'm trying to learn about certificates and trying to get an https client
    to use a certificate I made with crypto/x509/generate_cert.go. My server
    is http://play.golang.org/p/P-frV4zd6R. Installing the cert into a
    browser, the browser is happy with the cert. My client program though (
    http://play.golang.org/p/Rzx8oNuXAb) doesn't like it and gives "Get
    https://127.0.0.1:8080: x509: certificate signed by unknown authority."
    I expected that putting the certificate in Config.RootCAs would make it a
    known authority, but obviously not. How can I do this, or what do I need
    to learn next?
    i think you will need a cert with basic constraint CA set to true to be
    usable as Config.RootCAs.
    --
  • Rob Lapensee at Nov 1, 2012 at 6:02 pm
    this is some code snipped out of a program that tells the connection to
    allow "Insecure",
    the marked line is what I need to allow my program to connect to a self
    signed certificate.

    import "crypto/tls"

    var bodyType string = "text/xml"
    var client *http.Client
    var err error
    var res *http.Response

    config := &tls.Config{InsecureSkipVerify: true} // this line here
    tr := &http.Transport{ TLSClientConfig: config }
    client = &http.Client{Transport: tr}

    res, err = client.Post(url, bodyType, bodyReader)

    Regards,

    Rob
    On Thursday, November 1, 2012 1:59:26 PM UTC-4, Sonia Keys wrote:

    I wondered about that. I tried adding

    BasicConstraintsValid: true,

    IsCA: true,

    to the template in generate_cert.go, but that didn't help.
    On Thursday, November 1, 2012 1:53:17 PM UTC-4, minux wrote:

    On Fri, Nov 2, 2012 at 1:46 AM, Sonia Keys wrote:

    I'm trying to learn about certificates and trying to get an https client
    to use a certificate I made with crypto/x509/generate_cert.go. My server
    is http://play.golang.org/p/P-frV4zd6R. Installing the cert into a
    browser, the browser is happy with the cert. My client program though (
    http://play.golang.org/p/Rzx8oNuXAb) doesn't like it and gives "Get
    https://127.0.0.1:8080: x509: certificate signed by unknown
    authority." I expected that putting the certificate in Config.RootCAs
    would make it a known authority, but obviously not. How can I do this, or
    what do I need to learn next?
    i think you will need a cert with basic constraint CA set to true to be
    usable as Config.RootCAs.
    --
  • Sonia Keys at Nov 1, 2012 at 6:15 pm
    Yes, InsecureSkipVerify makes the message go away, but I was looking for a
    way to get it to properly verfiy. Seems like there should be a way.
    On Thursday, November 1, 2012 2:02:11 PM UTC-4, Rob Lapensee wrote:


    this is some code snipped out of a program that tells the connection to
    allow "Insecure",
    the marked line is what I need to allow my program to connect to a self
    signed certificate.

    import "crypto/tls"

    var bodyType string = "text/xml"
    var client *http.Client
    var err error
    var res *http.Response

    config := &tls.Config{InsecureSkipVerify: true} // this line here
    tr := &http.Transport{ TLSClientConfig: config }
    client = &http.Client{Transport: tr}

    res, err = client.Post(url, bodyType, bodyReader)

    Regards,

    Rob
    On Thursday, November 1, 2012 1:59:26 PM UTC-4, Sonia Keys wrote:

    I wondered about that. I tried adding

    BasicConstraintsValid: true,

    IsCA: true,

    to the template in generate_cert.go, but that didn't help.
    On Thursday, November 1, 2012 1:53:17 PM UTC-4, minux wrote:

    On Fri, Nov 2, 2012 at 1:46 AM, Sonia Keys wrote:

    I'm trying to learn about certificates and trying to get an https
    client to use a certificate I made with crypto/x509/generate_cert.go. My
    server is http://play.golang.org/p/P-frV4zd6R. Installing the cert
    into a browser, the browser is happy with the cert. My client program
    though (http://play.golang.org/p/Rzx8oNuXAb) doesn't like it and gives
    "Get https://127.0.0.1:8080: x509: certificate signed by unknown
    authority." I expected that putting the certificate in Config.RootCAs
    would make it a known authority, but obviously not. How can I do this, or
    what do I need to learn next?
    i think you will need a cert with basic constraint CA set to true to be
    usable as Config.RootCAs.
    --
  • Agl at Nov 1, 2012 at 6:56 pm

    On Thursday, November 1, 2012 2:09:54 PM UTC-4, Sonia Keys wrote:

    Yes, InsecureSkipVerify makes the message go away, but I was looking for a
    way to get it to properly verfiy. Seems like there should be a way.
    Do you have KeyUsageCertSign set?


    Cheers

    AGL

    >

    --
  • Sonia Keys at Nov 1, 2012 at 7:12 pm
    That was it! Thank you. It took both KeyUsageCertSign and IsCA.
    On Thursday, November 1, 2012 2:56:56 PM UTC-4, a...@google.com wrote:
    On Thursday, November 1, 2012 2:09:54 PM UTC-4, Sonia Keys wrote:

    Yes, InsecureSkipVerify makes the message go away, but I was looking for
    a way to get it to properly verfiy. Seems like there should be a way.
    Do you have KeyUsageCertSign set?


    Cheers

    AGL
    --
  • Adam Langley at Nov 1, 2012 at 7:19 pm

    On Thu, Nov 1, 2012 at 3:12 PM, Sonia Keys wrote:
    That was it! Thank you. It took both KeyUsageCertSign and IsCA.
    Both are required by RFC 5280.


    Cheers

    AGL

    --

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupgolang-nuts @
categoriesgo
postedNov 1, '12 at 5:46p
activeNov 1, '12 at 7:19p
posts8
users4
websitegolang.org

People

Translate

site design / logo © 2021 Grokbase