-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pulling system root CAs to validate doesn't work against the released copy of safe #113
Comments
Are you running Vault with a certificate signed by an authority you popped into your system chain? Trying to reproduce. |
Correct, it's an in-house Root CA that's in the system keychain as an always-trusted root.
… On Oct 31, 2017, at 10:18 AM, James Hunt ***@***.***> wrote:
Are you running Vault with a certificate signed by an authority you popped into your system chain? Trying to reproduce.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub <#113 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AG2SUgQ3zPv-GBRVSVc1b74ziM_Sv9K8ks5sxywxgaJpZM4QMzeD>.
|
Literally the only way around this seems to be building safe on darwin. |
@geofffranks have you seen golang/go#18141 and golang/go#18203? |
Similar code and support is in spruce, and working for us, though spruce is built via Golang 1.9 on Linux. Perhaps that will work here too? |
In that case try 0.5.0, since that should have been rebuilt with 1.9 |
Or maybe not. I'll have to talk to @thomasmmitchell since it seems per his commits to dockerfiles, we should be using 1.9 |
Ha! Turns out it's because the safe pipeline configuration was forcing 1.8. I bumped it to 1.9 and it's running through the pipeline now. If all goes well, I'll cut 0.5.1 with macOS cert support this morning. |
Initially, the |
I still think I'll be pinning versions for all my go pipelines, so that I can control when I want to deal with the fall-out of having to upgrade go versions. Apparently 1.9 is a little more picky (if you can believe it) than previous versions of the compiler / toolchain. |
@geofffranks try out 0.5.1, it seems to be working admirably in my test setup with a custom, mac-trusted CA and an issued cert. |
Thanks! Will give it a shot after the holiday
…Sent from my iPhone
On Nov 22, 2017, at 8:46 AM, James Hunt ***@***.***> wrote:
@geofffranks try out 0.5.1, it seems to be working admirably in my test setup with a custom, mac-trusted CA and an issued cert.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
Yup, everything looks great here, thanks! |
Targeting a Vault with a custom root CA that's added to my system keychain as a trusted root still requires a
-k
to skip ssl verification, when using the released copy of safe. If I build a fresh copy using golang 1.9, it works as expected.Any chance we can update safe to build against v1.9, or determine why the released copy doesn't work as a hand-built copy?
The text was updated successfully, but these errors were encountered: