FAQ
I have account in GoDaddy.
Generated certificated using Starfield Technologies option.

I can see https: site from the browse. Calling a service from command line
from Terminal on my Mac I am getting:
"x509: certificate signed by unknown authority"

From Windows I am not getting this message.

What is wrong?

--

Search Discussions

  • Dave Cheney at Jan 12, 2013 at 1:52 am
    What is the URL of the site in question ?
    On Sat, Jan 12, 2013 at 12:51 PM, Constantine Vasil wrote:
    I have account in GoDaddy.
    Generated certificated using Starfield Technologies option.

    I can see https: site from the browse. Calling a service from command line
    from Terminal on my Mac I am getting:
    "x509: certificate signed by unknown authority"

    From Windows I am not getting this message.

    What is wrong?

    --
    --
  • Constantine Vasil at Jan 12, 2013 at 2:13 am
    where to send you the link in private?
    On Friday, January 11, 2013 5:52:51 PM UTC-8, Dave Cheney wrote:

    What is the URL of the site in question ?
    On Sat, Jan 12, 2013 at 12:51 PM, Constantine Vasil wrote:
    I have account in GoDaddy.
    Generated certificated using Starfield Technologies option.

    I can see https: site from the browse. Calling a service from command line
    from Terminal on my Mac I am getting:
    "x509: certificate signed by unknown authority"

    From Windows I am not getting this message.

    What is wrong?

    --
    --
  • Patrick Mylund Nielsen at Jan 12, 2013 at 1:55 am
    Almost certainly that the GoDaddy bundle PEM was not included in the pem
    file you are using (or is not pointed to using the IntermediateCA directive
    in Apache). The gd_bundle.crt can be found here:
    https://certs.godaddy.com/anonymous/repository.seam

    If you are using e.g. nginx, append the contents of gd_bundle.crt to your
    own .crt, e.g. cat gd_bundle.crt >> yourserver.crt, then restart the web
    server.

    You can verify that the chain is included here:
    https://www.ssllabs.com/ssltest/index.html

    On Fri, Jan 11, 2013 at 7:51 PM, Constantine Vasil wrote:

    I have account in GoDaddy.
    Generated certificated using Starfield Technologies option.

    I can see https: site from the browse. Calling a service from command line
    from Terminal on my Mac I am getting:
    "x509: certificate signed by unknown authority"

    From Windows I am not getting this message.

    What is wrong?

    --

    --
  • Constantine Vasil at Jan 12, 2013 at 6:38 am
    I am not using nginx, I am using a Golang web server - try to keep it
    simple.
    In GoDaddy for Download Certificate there are options, in this case which
    one to use:
    Apache, nginx or what option? I have -cert.pem and -key.pem in same folder
    as the executable
    and they are referenced from http.ListenAndServeTLS

    the ssllabs returned:
    Chain issues*Incomplete
    *Secure RenegotiationNot supported *ACTION NEEDED*BEAST attackVulnerable
    *INSECURE*

    Session resumption*No (IDs empty)

    *
    This server definitely needs configuration. How to do it?

    On Friday, January 11, 2013 5:55:54 PM UTC-8, Patrick Mylund Nielsen wrote:

    Almost certainly that the GoDaddy bundle PEM was not included in the pem
    file you are using (or is not pointed to using the IntermediateCA directive
    in Apache). The gd_bundle.crt can be found here:
    https://certs.godaddy.com/anonymous/repository.seam

    If you are using e.g. nginx, append the contents of gd_bundle.crt to your
    own .crt, e.g. cat gd_bundle.crt >> yourserver.crt, then restart the web
    server.

    You can verify that the chain is included here:
    https://www.ssllabs.com/ssltest/index.html


    On Fri, Jan 11, 2013 at 7:51 PM, Constantine Vasil <ths...@gmail.com<javascript:>
    wrote:
    I have account in GoDaddy.
    Generated certificated using Starfield Technologies option.

    I can see https: site from the browse. Calling a service from command line
    from Terminal on my Mac I am getting:
    "x509: certificate signed by unknown authority"

    From Windows I am not getting this message.

    What is wrong?

    --

    --
  • Patrick Mylund Nielsen at Jan 12, 2013 at 6:59 am
    It should work if you append the contents of gd_bundle.crt (from
    https://certs.godaddy.com/anonymous/repository.seam) to the -cert.pem file,
    e.g. cat gd_bundle.crt >> your-cert.pem, then restart the Go server
    application. It isn't presenting enough information to the client (i.e. a
    browser, or a Go client.)

    On Fri, Jan 11, 2013 at 8:27 PM, Constantine Vasil wrote:

    I am not using nginx, I am using a Golang web server - try to keep it
    simple.
    In GoDaddy for Download Certificate there are options, in this case which
    one to use:
    Apache, nginx or what option? I have -cert.pem and -key.pem in same folder
    as the executable
    and they are referenced from http.ListenAndServeTLS

    the ssllabs returned:
    Chain issues*Incomplete
    *Secure RenegotiationNot supported *ACTION NEEDED*BEAST attackVulnerable
    *INSECURE*

    Session resumption*No (IDs empty)

    *
    This server definitely needs configuration. How to do it?

    On Friday, January 11, 2013 5:55:54 PM UTC-8, Patrick Mylund Nielsen wrote:

    Almost certainly that the GoDaddy bundle PEM was not included in the pem
    file you are using (or is not pointed to using the IntermediateCA directive
    in Apache). The gd_bundle.crt can be found here: https://certs.godaddy.**
    com/anonymous/repository.seam<https://certs.godaddy.com/anonymous/repository.seam>

    If you are using e.g. nginx, append the contents of gd_bundle.crt to your
    own .crt, e.g. cat gd_bundle.crt >> yourserver.crt, then restart the web
    server.

    You can verify that the chain is included here: https://www.ssllabs.com/*
    *ssltest/index.html <https://www.ssllabs.com/ssltest/index.html>

    On Fri, Jan 11, 2013 at 7:51 PM, Constantine Vasil wrote:

    I have account in GoDaddy.
    Generated certificated using Starfield Technologies option.

    I can see https: site from the browse. Calling a service from command
    line
    from Terminal on my Mac I am getting:
    "x509: certificate signed by unknown authority"

    From Windows I am not getting this message.

    What is wrong?

    --

    --
    --
  • Constantine Vasil at Jan 12, 2013 at 7:37 pm
    I just did this but there is no change in behavior
    On Friday, January 11, 2013 6:43:16 PM UTC-8, Patrick Mylund Nielsen wrote:

    It should work if you append the contents of gd_bundle.crt (from
    https://certs.godaddy.com/anonymous/repository.seam) to the -cert.pem
    file, e.g. cat gd_bundle.crt >> your-cert.pem, then restart the Go server
    application. It isn't presenting enough information to the client (i.e. a
    browser, or a Go client.)


    On Fri, Jan 11, 2013 at 8:27 PM, Constantine Vasil <ths...@gmail.com<javascript:>
    wrote:
    I am not using nginx, I am using a Golang web server - try to keep it
    simple.
    In GoDaddy for Download Certificate there are options, in this case which
    one to use:
    Apache, nginx or what option? I have -cert.pem and -key.pem in same
    folder as the executable
    and they are referenced from http.ListenAndServeTLS

    the ssllabs returned:
    Chain issues*Incomplete
    * Secure RenegotiationNot supported *ACTION NEEDED* BEAST attackVulnerable
    *INSECURE*

    Session resumption*No (IDs empty)

    *
    This server definitely needs configuration. How to do it?


    On Friday, January 11, 2013 5:55:54 PM UTC-8, Patrick Mylund Nielsen
    wrote:
    Almost certainly that the GoDaddy bundle PEM was not included in the pem
    file you are using (or is not pointed to using the IntermediateCA directive
    in Apache). The gd_bundle.crt can be found here: https://certs.godaddy.*
    *com/anonymous/repository.seam<https://certs.godaddy.com/anonymous/repository.seam>

    If you are using e.g. nginx, append the contents of gd_bundle.crt to
    your own .crt, e.g. cat gd_bundle.crt >> yourserver.crt, then restart the
    web server.

    You can verify that the chain is included here: https://www.ssllabs.com/
    **ssltest/index.html <https://www.ssllabs.com/ssltest/index.html>

    On Fri, Jan 11, 2013 at 7:51 PM, Constantine Vasil wrote:

    I have account in GoDaddy.
    Generated certificated using Starfield Technologies option.

    I can see https: site from the browse. Calling a service from command
    line
    from Terminal on my Mac I am getting:
    "x509: certificate signed by unknown authority"

    From Windows I am not getting this message.

    What is wrong?

    --

    --
    --
  • Agl at Jan 14, 2013 at 2:45 pm

    On Saturday, January 12, 2013 2:37:09 PM UTC-5, Constantine Vasil wrote:

    I just did this but there is no change in behavior
    If it works with a Go client on Windows, but not on Mac, then we might be
    failing to find the rootstore on OS X. Here's the code that we use for
    doing this on OS X: http://golang.org/src/pkg/crypto/x509/root_darwin.go

    I'm not a Mac person so I rather have to trust this code.

    Additionally, it might be an incomplete chain that CryptoAPI can rebuilt
    but OS X cannot. Please include either a pointer to the site.


    Cheers

    AGL

    --
  • Constantine Vasil at Jan 14, 2013 at 5:36 pm
    "x509: certificate signed by unknown authority" message is now gone.

    If anyone wants to know here is what I did:
    A) Generate a Certificate Signing Request for Apache 2.x
    login to your SSH terminal and type:
    *openssl req -new -newkey rsa:2048 -nodes -keyout <mydomain>.com.key -out
    <mydomain>.csr -subj "/C=US/ST=CA/L=<my city>/CN=<mydomain>/O=<my company
    name>/OU=<my domain>"

    Generating a 2048 bit RSA private key
    ................................................................................................................................................................................................................+++
    .....................................................................................................................................+++
    writing new private key to '<mydomain>.key'
    -----*
    list the directory:
    <your>-Mac:$ ls
    <mydomain>.csr <mydomain>.key

    B) login to GoDaddy, select Startfield certificate authority, copy/paste
    <mydomain>.csr
    C) download <mydomain>.com.crt
    D) download sf_bundle.crt and sf_intermediate.crt from
    https://certs.starfieldtech.com/anonymous/repository.seam
    E) perform following steps:
    *

    1. copy <mydomain>.com.crt <mydomain>.com-cert.pem
    2. cat sf_bundle.crt >> <mydomain>.com-cert.pem
    3. cat sf_intermediate.crt >> <mydomain>.com-cert.pem
    4. copy <mydomain>.key <mydomain>.com-key.pem

    *

    Only when sf_intermediate.crt is added then "x509: certificate signed by
    unknown authority" message is gone.

    Still got these warnings from https://www.ssllabs.com/ssltest/index.html:
    BEAST attackVulnerable *INSECURE*

    Session resumption*No (IDs empty)

    *
    Thank you for all responses. now we have to get rid of all warnings.
    On Monday, January 14, 2013 6:45:37 AM UTC-8, agl wrote:
    On Saturday, January 12, 2013 2:37:09 PM UTC-5, Constantine Vasil wrote:

    I just did this but there is no change in behavior
    If it works with a Go client on Windows, but not on Mac, then we might be
    failing to find the rootstore on OS X. Here's the code that we use for
    doing this on OS X: http://golang.org/src/pkg/crypto/x509/root_darwin.go

    I'm not a Mac person so I rather have to trust this code.

    Additionally, it might be an incomplete chain that CryptoAPI can rebuilt
    but OS X cannot. Please include either a pointer to the site.


    Cheers

    AGL
    --
  • Patrick Mylund Nielsen at Jan 14, 2013 at 5:48 pm
    Sorry, I missed that you were using StarField. For GoDaddy you need to
    append the gd-bundle, for StarField, the sf-bundle. Glad you got it working.

    On Mon, Jan 14, 2013 at 11:36 AM, Constantine Vasil wrote:

    "x509: certificate signed by unknown authority" message is now gone.

    If anyone wants to know here is what I did:
    A) Generate a Certificate Signing Request for Apache 2.x
    login to your SSH terminal and type:
    *openssl req -new -newkey rsa:2048 -nodes -keyout <mydomain>.com.key -out
    <mydomain>.csr -subj "/C=US/ST=CA/L=<my city>/CN=<mydomain>/O=<my company
    name>/OU=<my domain>"

    Generating a 2048 bit RSA private key

    ................................................................................................................................................................................................................+++

    .....................................................................................................................................+++
    writing new private key to '<mydomain>.key'
    -----*
    list the directory:
    <your>-Mac:$ ls
    <mydomain>.csr <mydomain>.key

    B) login to GoDaddy, select Startfield certificate authority, copy/paste
    <mydomain>.csr
    C) download <mydomain>.com.crt
    D) download sf_bundle.crt and sf_intermediate.crt from
    https://certs.starfieldtech.com/anonymous/repository.seam
    E) perform following steps:
    *

    1. copy <mydomain>.com.crt <mydomain>.com-cert.pem
    2. cat sf_bundle.crt >> <mydomain>.com-cert.pem
    3. cat sf_intermediate.crt >> <mydomain>.com-cert.pem
    4. copy <mydomain>.key <mydomain>.com-key.pem

    *

    Only when sf_intermediate.crt is added then "x509: certificate signed by
    unknown authority" message is gone.

    Still got these warnings from https://www.ssllabs.com/**
    ssltest/index.html <https://www.ssllabs.com/ssltest/index.html>:
    BEAST attackVulnerable *INSECURE*

    Session resumption*No (IDs empty)

    *
    Thank you for all responses. now we have to get rid of all warnings.
    On Monday, January 14, 2013 6:45:37 AM UTC-8, agl wrote:
    On Saturday, January 12, 2013 2:37:09 PM UTC-5, Constantine Vasil wrote:

    I just did this but there is no change in behavior
    If it works with a Go client on Windows, but not on Mac, then we might be
    failing to find the rootstore on OS X. Here's the code that we use for
    doing this on OS X: http://golang.org/src/pkg/**
    crypto/x509/root_darwin.go<http://golang.org/src/pkg/crypto/x509/root_darwin.go>

    I'm not a Mac person so I rather have to trust this code.

    Additionally, it might be an incomplete chain that CryptoAPI can rebuilt
    but OS X cannot. Please include either a pointer to the site.


    Cheers

    AGL
    --

    --
  • Agl at Jan 16, 2013 at 12:13 am

    On Monday, January 14, 2013 12:36:51 PM UTC-5, Constantine Vasil wrote:

    Still got these warnings from https://www.ssllabs.com/ssltest/index.html:
    BEAST attackVulnerable *INSECURE*

    Session resumption*No (IDs empty)

    *
    BEAST attack means that ssllabs wants you to prioritize RC4 over AES. You
    can do this via the tls.Config (http://golang.org/pkg/crypto/tls/#Config)
    by setting, say:

    tlsConfig.CipherSuites = [tls.TLS_RSA_WITH_RC4_128_SHA,
    tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA, tls.TLS_RSA_WITH_AES_128_CBC_SHA,
    tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]

    The session resumption bit isn't a warning - Go doesn't support session IDs.


    Cheers

    AGL

    --
  • Constantine Vasil at Jan 16, 2013 at 3:45 pm
    how to use tlsConfig.CipherSuites

    if I am using this code?

    err := http.ListenAndServeTLS(listenAddr, "<myhost>-cert.pem",
    "<myhost>-key.pem", *nil*)

    On Tuesday, January 15, 2013 4:13:13 PM UTC-8, agl wrote:
    On Monday, January 14, 2013 12:36:51 PM UTC-5, Constantine Vasil wrote:

    Still got these warnings from https://www.ssllabs.com/ssltest/index.html
    :
    BEAST attackVulnerable *INSECURE*

    Session resumption*No (IDs empty)

    *
    BEAST attack means that ssllabs wants you to prioritize RC4 over AES. You
    can do this via the tls.Config (http://golang.org/pkg/crypto/tls/#Config)
    by setting, say:

    tlsConfig.CipherSuites = [tls.TLS_RSA_WITH_RC4_128_SHA,
    tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA, tls.TLS_RSA_WITH_AES_128_CBC_SHA,
    tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]

    The session resumption bit isn't a warning - Go doesn't support session
    IDs.


    Cheers

    AGL
    --
  • Agl at Jan 16, 2013 at 5:32 pm

    On Wednesday, January 16, 2013 10:45:05 AM UTC-5, Constantine Vasil wrote:

    how to use tlsConfig.CipherSuites

    if I am using this code?

    err := http.ListenAndServeTLS(listenAddr, "<myhost>-cert.pem",
    "<myhost>-key.pem", *nil*)
    There isn't a way to override the defaults with that function. But if you
    look at the source to that function (
    http://golang.org/src/pkg/net/http/server.go?s=33156:33247#L1112), you can
    reproduce those two lines, but set TLSConfig on the http.Server object that
    you create.


    Cheers

    AGL

    --
  • Constantine Vasil at Jan 16, 2013 at 11:26 pm
    I changed my code to:

    *import* (

    "crypto/tls"

    *const* listenAddr = "0.0.0.0:443"


    config := &tls.Config{

    CipherSuites: []*uint16*{tls.TLS_RSA_WITH_RC4_128_SHA,

    tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,

    tls.TLS_RSA_WITH_AES_128_CBC_SHA,

    tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},

    }


    server := &http.Server{Addr: listenAddr, TLSConfig: config}

    err := server.ListenAndServeTLS("<myserver>-cert.pem", "<myserver>-key.pem")

    but still got the BEAST attack message.

    Could you please verify my code?
    On Tuesday, January 15, 2013 4:13:13 PM UTC-8, agl wrote:
    On Monday, January 14, 2013 12:36:51 PM UTC-5, Constantine Vasil wrote:

    Still got these warnings from https://www.ssllabs.com/ssltest/index.html
    :
    BEAST attackVulnerable *INSECURE*

    Session resumption*No (IDs empty)

    *
    BEAST attack means that ssllabs wants you to prioritize RC4 over AES. You
    can do this via the tls.Config (http://golang.org/pkg/crypto/tls/#Config)
    by setting, say:

    tlsConfig.CipherSuites = [tls.TLS_RSA_WITH_RC4_128_SHA,
    tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA, tls.TLS_RSA_WITH_AES_128_CBC_SHA,
    tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]

    The session resumption bit isn't a warning - Go doesn't support session
    IDs.


    Cheers

    AGL
    --
  • Agl at Jan 17, 2013 at 5:29 pm

    On Wednesday, January 16, 2013 6:20:25 PM UTC-5, Constantine Vasil wrote:

    config := &tls.Config{

    CipherSuites: []*uint16*{tls.TLS_RSA_WITH_RC4_128_SHA,

    tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,

    tls.TLS_RSA_WITH_AES_128_CBC_SHA,

    tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},

    }


    server := &http.Server{Addr: listenAddr, TLSConfig: config}

    err := server.ListenAndServeTLS("<myserver>-cert.pem",
    "<myserver>-key.pem")

    but still got the BEAST attack message.

    Could you please verify my code?
    Ah, sorry. We actually take the client's ciphersuite preferences so if the
    ssllabs client says that it prefers AES (which it looks like it does) then
    we'll pick that. I should add a UseServerCiphersuitePreferences to the
    tls.Config, but it's not there yet.


    Cheers

    AGL

    --
  • Agl at Jan 14, 2013 at 2:47 pm

    On Friday, January 11, 2013 9:27:39 PM UTC-5, Constantine Vasil wrote:

    Chain issues*Incomplete
    *Secure RenegotiationNot supported *ACTION NEEDED*
    Of these, the semi-important one is that we don't support renego ext. It
    doesn't affect the security of the server because we don't support
    renegotiation generally but, for the general good of the world, we should.
    If anyone wants to do this, you will almost certainly manage to do so
    before me!


    Cheers

    AGL

    --
  • Dave Cheney at Jan 16, 2013 at 12:19 am
    How did you install Go on your mac ? There have been reports that
    using Homebrew does not compile with cgo enabled, which may explain
    your issue.
    On Sat, Jan 12, 2013 at 12:51 PM, Constantine Vasil wrote:
    I have account in GoDaddy.
    Generated certificated using Starfield Technologies option.

    I can see https: site from the browse. Calling a service from command line
    from Terminal on my Mac I am getting:
    "x509: certificate signed by unknown authority"

    From Windows I am not getting this message.

    What is wrong?

    --
    --
  • Constantine Vasil at Jan 16, 2013 at 4:17 pm
    *I just did this:*
    *$ cd go/src
    $ ./all.bash*
    On Tuesday, January 15, 2013 4:19:05 PM UTC-8, Dave Cheney wrote:

    How did you install Go on your mac ? There have been reports that
    using Homebrew does not compile with cgo enabled, which may explain
    your issue.
    On Sat, Jan 12, 2013 at 12:51 PM, Constantine Vasil wrote:
    I have account in GoDaddy.
    Generated certificated using Starfield Technologies option.

    I can see https: site from the browse. Calling a service from command line
    from Terminal on my Mac I am getting:
    "x509: certificate signed by unknown authority"

    From Windows I am not getting this message.

    What is wrong?

    --
    --

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupgolang-nuts @
categoriesgo
postedJan 12, '13 at 1:51a
activeJan 17, '13 at 5:29p
posts18
users4
websitegolang.org

People

Translate

site design / logo © 2021 Grokbase