go: crypto/tls: go get failed on Mac with "x509: certificate signed by unknown authority"

Please answer these questions before submitting your issue. Thanks!

What did you do?

If possible, provide a recipe for reproducing the error. A complete runnable program is good. A link on play.golang.org is best. $ go get -d k8s.io/kubernetes
package k8s.io/kubernetes: unrecognized import path “k8s.io/kubernetes” (https fetch: Get https://k8s.io/kubernetes?go-get=1: x509: certificate signed by unknown authority)

What did you expect to see?

Packages can be pulled down and installed directly

What did you see instead?

The x509 certificate error prevents everything

System details

go version go1.10 darwin/amd64
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/phye/Library/Caches/go-build"
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOOS="darwin"
GOPATH="/Volumes/gitws/go"
GORACE=""
GOROOT="/usr/local/Cellar/go/1.10/libexec"
GOTMPDIR=""
GOTOOLDIR="/usr/local/Cellar/go/1.10/libexec/pkg/tool/darwin_amd64"
GCCGO="gccgo"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/ch/0fcsjfy14kd6jgpzwky0ggvm0000gn/T/go-build042818790=/tmp/go-build -gno-record-gcc-switches -fno-common"
GOROOT/bin/go version: go version go1.10 darwin/amd64
GOROOT/bin/go tool compile -V: compile version go1.10
uname -v: Darwin Kernel Version 17.4.0: Sun Dec 17 09:19:54 PST 2017; root:xnu-4570.41.2~1/RELEASE_X86_64
ProductName:	Mac OS X
ProductVersion:	10.13.3
BuildVersion:	17D102
lldb --version: lldb-900.0.64
  Swift-4.0

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Comments: 15 (6 by maintainers)

Most upvoted comments

@adamdecaf, somehow I found two DST Root CA X3,O=Digital Signature Trust Co in my keychain access, one is in system keychains, another is in system roots. After I removed the one in system keychains, the other one in system roots becomes valid automatically! Unbelievable!

Anyway, I can go get -d k8s.io/kubernetes now!

Thanks so much for your help!

+4
phye on Mar 3, 2018

@phye Sure thing! Glad we didn’t find a bug.

The System.keychain is useful to modify trust of certificates across all users on a Mac.

@bradfitz (or someone) could you close this out?

https://golang.org/cl/97801 helped debug the problem here and would be nice to get merged.

+1
adamdecaf on Mar 3, 2018
Read more comments on GitHub
← go: crypto/tls: expose all presented certs in error type on handshake failure
go: crypto/tls: handshake fails with EOF →