I am creating a Go TCP server (NOT http / s) and I am trying to configure it to use SSL. I have a free StartCom SSL certificate that I am trying to use for this. My server code is as follows:
cert, err := tls.LoadX509KeyPair("example.com.pem", "example.com.key") if err != nil { fmt.Println("Error loading certificate. ",err) } trustCert, err := ioutil.ReadFile("sub.class1.server.ca.pem") if err != nil { fmt.Println("Error loading trust certificate. ",err) } validationCert, err := ioutil.ReadFile("ca.pem") if err != nil { fmt.Println("Error loading validation certificate. ",err) } certs := x509.NewCertPool() if !certs.AppendCertsFromPEM(validationCert) { fmt.Println("Error installing validation certificate.") } if !certs.AppendCertsFromPEM(trustCert) { fmt.Println("Error installing trust certificate.") } sslConfig := tls.Config{RootCAs: certs,Certificates: []tls.Certificate{cert}} service := ":5555" tcpAddr, error := net.ResolveTCPAddr("tcp", service) if error != nil { fmt.Println("Error: Could not resolve address") } else { netListen, error := tls.Listen(tcpAddr.Network(), tcpAddr.String(), &sslConfig) if error != nil { fmt.Println(error) } else { defer netListen.Close() for { fmt.Println("Waiting for clients") connection, error := netListen.Accept()
I tried switching to the order of certificates, apart from some certificates, etc., but the output from openssl s_client -CApath /etc/ssl/certs/ -connect localhost:5555 remains essentially the same, verify error:num=20:unable to get local issuer certificate . See here for a complete conclusion. It seems I am doing something wrong with intermediate certificates, but I have no idea what. I have been working on this for several days, a lot of googling and SO'ing, but nothing seemed to fit my situation. I installed a lot of certificates in Apache and HAProxy, but it really puzzled me.
source share