0

I create a http client and make a http request with an attached (self-signed) cert object. I add InsecureSkipVerify: true to the client's TLSClientConfig to avoid errors.

Later I make another, unrelated request without a cert, which fails due to

x509: certificate signed by unknown authority

This goes away if I add InsecureSkipVerify: true to the new request, but I feel like I shouldn't have to because the second request has nothing to do with any kind of certification.

Can anyone tell me why the second, un-certified request might be throwing this error? I tried transport.CloseIdleConnections() after the first request finished, but that seemed to do no good.

first request:


func (s *loginSession) loginRequest() ([]byte, error) {
    cert, err := tls.LoadX509KeyPair(
        assist.PathToPackage()+certFilePath,
        assist.PathToPackage()+keyFilePath,
    )
    if err != nil {
        return nil, err
    }

    trans := &http.Transport{
        DisableKeepAlives: true,
        TLSClientConfig: &tls.Config{
            Certificates:       []tls.Certificate{cert},
            InsecureSkipVerify: true,
        },
    }

    client := &http.Client{
        Transport: trans,
    }

    req, err := http.NewRequest("POST", loginURL, s.loginPayload())

    if err != nil {
        return nil, err
    }

    req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
    req.Header.Add("X-Application", s.applicationKey)

    resp, err := client.Do(req)

    if err != nil {
        return nil, err
    }

    bodyBytes, err := assist.SafeJsonBytes(resp.Body)

    trans.CloseIdleConnections()

    return bodyBytes, err
}

Is there any reason why subsequent requests with different clients might contain the same cert for some reason?

Lewington
  • 63
  • 1
  • 4
  • "the second request has nothing to do with any kind of certification." That can't be true if you get a x509 error. You understand that the error refers to the *server's* certificate, yes? Google the error message and plenty of results will come up. – Peter Apr 04 '19 at 07:37
  • Cheers peter, I have googled the error message but nothing I found seemed to help me solve the issue. You're telling me though that the error indicates that the server is giving me a certificate in response to my next request, and that the error is caused by *that* certificate being self-signed? – Lewington Apr 04 '19 at 23:02
  • It doesn't have to be self-signed. It just means that whichever certificate signed (i.e. issued) the server's isn't in your trust store. [The error carries the untrusted certificate](https://golang.org/pkg/crypto/x509/#UnknownAuthorityError), so you can figure out if it's self-signed or not. If it is the SubjectKeyID and AuthorityKeyID are the same. – Peter Apr 04 '19 at 23:19

0 Answers0