Golang httpClient CA certificates default location?

Question

I have a go program that connects to an internal API using the httpClient (it's all generated by swagger-codegen).

The internal API is using https and internal certificates with our internal CA.

On my Windows laptop, it works fine without specifying any CA.

On a Linux server, it fails with a x509: certificate signed by unknown authority error.

I believe our Windows corporate laptops have CA installed by default, and that golang is able to get those CA without any config.

Hence i would like to know where is go checking for CAs on both Linux and Windows, so i could compare the setup between both OSes and install the correct CA on Linux.

Answer 1

For Windows: https://golang.org/src/crypto/x509/root_windows.go

For Linux: https://golang.org/src/crypto/x509/root_linux.go

Found via this SO answer.

Answer 2

To answer the Linux half of your question: Most Linux distributions come with strace, a utility for tracing system calls.

To start monitoring the server's file-related syscalls:

$ sudo strace -fp $MY_SERVER_PID -e trace=file

The server may only try to access the certificates the first time it attempts to initiate a secure connection, so it may be necessary to restart the server and start tracing it before the first connection. Another option is to start the server via strace:

$ sudo strace -f -e trace=file /usr/bin/my-server

If your tracing is successful, you will find something along the lines of

[pid 19691228] openat(AT_FDCWD, "/etc/ssl/certs/ca-certificates.crt", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)