I am trying to validate self sign certificate issued by local Root CA. My application also has the same Root CA. I am using a proxy service to reach server. The basic role of the proxy service is simple redirecting the request to server. Below is the code I am trying to use it
package main
import (
"net/http"
"crypto/tls"
"log"
"crypto/x509"
"flag"
)
const localCertFile = `-----BEGIN CERTIFICATE-----
MIIDwzCCAqugAwIBAgIJAI6nmnGw6bGbMA0GCSqGSIb3DQEBCwUAMIGgMQswCQYD
VQQGEwJVUzETMBEGA1UECAwKTmV3IEplcnNleTEWMBQGA1UEBwwNQmFza2luZyBS
aWRnZTESMBAGA1UECgwJQXZheWEgSW5jMQwwCgYDVQQLDANHQ1MxIDAeBgNVBAMM
F2Nsb3VkLXRydXN0Y2EuYXZheWEuY29tMSAwHgYJKoZIhvcNAQkBFhFzdXBwb3J0
QGF2YXlhLmNvbTAeFw0xODA1MjUxMDE2MjNaFw0yODA1MjIxMDE2MjNaMIGgMQsw
CQYDVQQGEwJVUzETMBEGA1UECAwKTmV3IEplcnNleTEWMBQGA1UEBwwNQmFza2lu
ZyBSaWRnZTESMBAGA1UECgwJQXZheWEgSW5jMQwwCgYDVQQLDANHQ1MxIDAeBgNV
BAMMF2Nsb3VkLXRydXN0Y2EuYXZheWEuY29tMSAwHgYJKoZIhvcNAQkBFhFzdXBw
b3J0QGF2YXlhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKJp
sdLWk3S9MefVajUSaEZf4pjo58Z6t3vqvxNaJ1oDBDRuBJZzHv4Grs7SfQFnzRRH
ivZTa6vNHJCaDMds5qztf6BhpyEwwdQdtCCQgiaAIV1HuLA1dnR4iAT2jUH4Pvxt
/BDj60j2YDFfV5j6Fh20lH5sKpkVEftPZ8PClEhqJ286h+U3i96WnTR54FIu6DKU
4RQjp3Cu2an/824HjNSLy5Tgr5N3RrosOJ4cZga9663p0DuIfpkQUvf+uPPafKUO
Ct90QwFpEDrX7jYB1VIy9by4OI/UvZjijCJ4Q/5Xl+SKZLD1gs5/QXSccOSyayEk
7/941MbGqwKjZXcszC8CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAihQiDedCG3un
V0TWmo9e4gHkoMfMgeKOEtNLiIFejZjMILyiY9/bv/vemp27WR1tbKz/Mo/zcJbU
oxDyHrEszp4ZYAwK2vFRT1T2r3rIGgUf4XyPSu8fEYLnPeCdm3BFpCrC4jIsaxJ3
BJYvmFUSCLw1IjcgCrBp4lpMRKySjCPpZiisldDBKrJrulNwx7g1I1CYxLn2jkIu
b/uL0SOJPDMriS3UZ0eqByBJTZ57rkVAeW6VUbwXxIBXQX1aC2PIT2n1svywHgY2
HlK5YUaCPPL3C1MiL2Qn9ZIQwcW/eY758polgOQIo6iys9MkG7sdYlpP61V5tZud
6FqDS2taqA==
-----END CERTIFICATE-----`
func main() {
insecure := flag.Bool("insecure-ssl", false, "Accept/Ignore all server SSL certificates")
flag.Parse()
rootCA, _ := x509.SystemCertPool()
if rootCA == nil {
rootCA = x509.NewCertPool()
}
/*cert, err := ioutil.ReadFile(localCertFile)
if err != nil {
log.Fatalf("Failed to append %q to RootCAs: %v", localCertFile, err)
}*/
if ok := rootCA.AppendCertsFromPEM([]byte(localCertFile)); !ok {
log.Println("No certs appended, using system certs only")
}
config := &tls.Config{
InsecureSkipVerify: *insecure,
RootCAs: rootCA,
//ServerName: "trust.170918167.comsubjectKeyIdentifier = hash",
}
tr := &http.Transport{TLSClientConfig: config}
client := &http.Client{Transport: tr}
req, _ := http.NewRequest(http.MethodGet, "https://cmm-register.default.svc.cluster.local:7070/MediaManager/ws/sysconfig", nil)
resp, err := client.Do(req)
if err != nil {
log.Fatal(err)
}
log.Println(resp)
//Error when ServerName is diabled
//Get https://service:7070/sysconfig: x509: certificate is valid for trust.170918167.comsubjectKeyIdentifier = hash, not service
//When ServerName is set
//Get https://service:7070/sysconfig: x509: certificate signed by unknown authority (possibly
//because of "x509: invalid signature: parent certificate cannot sign this kind of certificate" while trying to verify candidate authority certificate "cloud-trustca.test.com")
}
So how to fix this issue as I need to validate the server certificate using the same CA. When I try to use openssl to verify the server certificate it get validated properly using the same root ca.
Currently I am using Go v1.9.
I see a couple of problems with the ca cert you posted already, but it is hard to diagnose without the server certificate issued from it as well. The SAN names on that will need to match the hostnames your client is hitting, and it seems they might not.
Looking at the flags on that cert (using this site works), it looks like that ca cert does not have the CA bit set, and so will not be a valid issuer for any child certs. You need a root certificate with that extension enabled, and then you can generate valid certs from it.