Golang HTTP x509:由未知权限签名的证书错误 [英] Golang HTTP x509: certificate signed by unknown authority error

问题描述

我正在使用 Golang 1.9.2 创建客户端应用程序，但在访问我的后端时遇到了一些问题.问题是我的应用程序在最新版本的 Windows 和 Linux 中运行良好，但是当我在 Windows XP 上运行它时(是的，不幸的是我必须支持 Windows XP，因为我们的一些客户拒绝升级他们的操作系统)我尝试执行 HTTP GET 和 HTTP POST 时出现此错误:x509:由未知机构签名的证书.

I am creating a client app using Golang 1.9.2 and I am having some trouble to access my backend. The thing is that my app is working fine in the latest versions of Windows and Linux, however when I run it on Windows XP (yes, unfortunately I do have to support Windows XP, because some of our customers refuse to upgrade their OS) I get this error while trying to execute an HTTP GET and an HTTP POST: x509: certificate signed by unknown authority.

我在 Windows XP 中使用 Firefox ESR 浏览器和 Chromium 浏览器运行了相同的 GET 命令，但没有人抱怨证书问题.

I've ran the same GET command using a Firefox ESR browser and a Chromium browser, from inside the Windows XP and none of them complain about the certificate.

请注意，我的证书有效并由受信任的机构签署.

Please note that my certificate is valid and signed by a trusted authority.

我做了一些研究，我发现有些人有同样的问题，并通过使用这个忽略 TLS 验证来解决它:

I've done some research and I found out that some people had the same problem and solved it by ignoring the TLS validation using this:

import ("net/http"; "crypto/tls")

tr := &http.Transport{
    TLSClientConfig: &tls.Config{InsecureSkipVerify : true},
}
client := &http.Client{Transport: tr}
resp, err := client.Get("https://someurl:443/)

所以我将它添加到我的代码中，但它仍然无法正常工作:

So I added this to my code, but it is still not working:

// NewAPIClient - creates a new API client
func NewAPIClient() Client {
    c := &APIClient{}

    tr := &http.Transport{
        TLSClientConfig: &tls.Config{InsecureSkyVerify: true},
    }
    c.client = &http.Client{Transport: tr}
    return c
}

// GetTasks - retrieves a list of tasks from the backend.
func (c *APIClient) GetTasks() ([]byte, error) {
    conf := config.GetInstance()
    url := fmt.Sprintf("%s/myurl", conf.GetConfig().APIUrl)

    req, err := http.NewRequest(http.MethodGet, url, nil)
    if err != nil {
        log.WithError(err).Errorf("Error creating HTTP request")
        return nil, err
    }

    // Add headers
    req.Header.Add("Authorization", conf.GetConfig().APIToken)
    req.Header.Add("Accept", "application/json")

    log.Info("Retrieving tasks from the API")
    resp, err := c.client.Do(req)
    if err != nil {
        log.WithError(err).Errorf("Error retrieving tasks from the backend")
        return nil, err
    }
    defer resp.Body.Close()

    if resp.StatusCode != 200 {
        errMsg := fmt.Sprintf("Received status: %s", resp.Status)
        err = errors.New(errMsg)
        log.WithError(err).Error("Error retrieving tasks from the backend")
        return nil, err
    }

    tasks, err := ioutil.ReadAll(resp.Body)
    if err != nil {
        log.WithError(err).Error("Error reading tasks response body")
        return nil, err
    }

    log.Info("The tasks were successfully retrieved")

    return tasks, nil
}

是否有另一种方法可以解决此问题，而不必忽略证书验证?如果没有，我在代码中做错了什么?

Is there a another way to solve this problem, without having to ignore the certificate validation? If not, what I am doing wrong in my code?

推荐答案

Golang 使用 OS 证书存储.以下注释表示 Go 在 Windows 上使用 Windows 商店，类似于 Linux.

Golang uses the OS certificate store. The following comment indicates Go uses the Windows store on Windows, similar to Linux.

//CertGetCertificateChain 将遍历 Windows 的根存储以尝试构建经过验证的证书链

// CertGetCertificateChain will traverse Windows's root stores in an attempt to build a verified certificate chain

此注释和相关代码位于以下文件中:

This comment and the associated code is in the following file:

https://golang.org/src/crypto/x509/root_windows.go

将服务器证书、中间 CA 证书和/或根 CA 证书添加到 Windows XP 证书存储区.您可以使用 IBM 发布的以下 Windows XP 说明:

Add the server certificate, Intermediate CA certificate and/or Root CA certificate to the Windows XP certificate store. You can use the following Windows XP instructions posted by IBM:

程序

1. 在 Windows XP 中，选择 开始 >运行以打开命令行.
2. 在运行"对话框中键入 mmc，然后单击确定以运行 Microsoft 管理控制台 (MMC).
3. 从 MMC 中，选择 文件 >添加/删除管理单元.
4. 点击添加.
5. 点击证书.
6. 点击我的用户帐户.
7. 点击完成.
8. 在添加独立管理单元对话框中点击关闭.
9. 在添加/删除管理单元对话框中点击确定.

1. From Windows XP, select Start > Run to open the command line.
2. Type mmc into the Run dialog box and click OK to run the Microsoft Management Console (MMC).
3. From within MMC, select File > Add/Remove Snap-in.
4. Click Add.
5. Click Certificates.
6. Click My user account.
7. Click Finish.
8. Click Close on the Add Standalone Snap-in dialog box.
9. Click OK on the Add/Remove Snap-in dialog box.

参考:https://www.ibm.com/docs/en/b2b-integrator/5.2?topic=xp-install-root-certificate-in-windows

GlobalSign 和 Securely 为更现代的 Windows 版本提供了类似的说明，但上面的 IBM 链接专门用于 Windows XP.下面的 Securely 文档还包括屏幕截图.

GlobalSign and Securely provide similar instructions for more modern versions of Windows but the IBM link above is specifically for Windows XP. The Securely docs below also include screen shots.

• 进出口证书 -微软视窗
• 如何在 Windows 上手动安装安全 SSL 证书 - 包括屏幕截图

• Import and Export Certificate - Microsoft Windows
• How do I manually install the Securly SSL certificate on Windows - includes screen shots

这篇关于Golang HTTP x509:由未知权限签名的证书错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！