Pulling system root CAs to validate doesn't work against the released copy of safe #113
Comments
|
Are you running Vault with a certificate signed by an authority you popped into your system chain? Trying to reproduce. |
|
Correct, it's an in-house Root CA that's in the system keychain as an always-trusted root.
… On Oct 31, 2017, at 10:18 AM, James Hunt ***@***.***> wrote:
Are you running Vault with a certificate signed by an authority you popped into your system chain? Trying to reproduce.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub <#113 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AG2SUgQ3zPv-GBRVSVc1b74ziM_Sv9K8ks5sxywxgaJpZM4QMzeD>.
|
|
Literally the only way around this seems to be building safe on darwin. |
|
@geofffranks have you seen golang/go#18141 and golang/go#18203? |
|
Similar code and support is in spruce, and working for us, though spruce is built via Golang 1.9 on Linux. Perhaps that will work here too? |
|
In that case try 0.5.0, since that should have been rebuilt with 1.9 |
|
Or maybe not. I'll have to talk to @thomasmmitchell since it seems per his commits to dockerfiles, we should be using 1.9 |
|
Ha! Turns out it's because the safe pipeline configuration was forcing 1.8. I bumped it to 1.9 and it's running through the pipeline now. If all goes well, I'll cut 0.5.1 with macOS cert support this morning. |
|
Initially, the |
|
I still think I'll be pinning versions for all my go pipelines, so that I can control when I want to deal with the fall-out of having to upgrade go versions. Apparently 1.9 is a little more picky (if you can believe it) than previous versions of the compiler / toolchain. |
|
@geofffranks try out 0.5.1, it seems to be working admirably in my test setup with a custom, mac-trusted CA and an issued cert. |
|
Thanks! Will give it a shot after the holiday
…Sent from my iPhone
On Nov 22, 2017, at 8:46 AM, James Hunt ***@***.***> wrote:
@geofffranks try out 0.5.1, it seems to be working admirably in my test setup with a custom, mac-trusted CA and an issued cert.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
Yup, everything looks great here, thanks! |
Targeting a Vault with a custom root CA that's added to my system keychain as a trusted root still requires a
-kto skip ssl verification, when using the released copy of safe. If I build a fresh copy using golang 1.9, it works as expected.Any chance we can update safe to build against v1.9, or determine why the released copy doesn't work as a hand-built copy?
The text was updated successfully, but these errors were encountered: