I would like to use an alternate CA for a go mod download or go get command.
I do not want to add the certificate authority (CA) to the system's permanent store of trusted certificate authorities.
One use case for this is an IT department that runs some TLS traffic through a system such as Cisco Umbrella that has its own CA that is not a default CA in the system's default bundled CA store (such as /etc/ssl/certs/ca-bundle.crt on some linux distributions or the bundled CAs built in to a browswer such as firefox or chrome). Another use case would be deployment of go modules signed by a trusted internal certificate authority.
I recently experienced the first use case:
$ go mod download -x all
.
.
# get https://proxy.golang.org/golang.org/x/term/@v/v0.3.0.mod: Get "https://proxy.golang.org/golang.org/x/term/@v/v0.3.0.mod": x509: certificate signed by unknown authority
I am looking for the way to tell go to use an additional CA cert - the equivalent of wget's --ca-certificate:
wget --ca-certificate Cisco_Umbrella_Root_CA.cer https://proxy.golang.org/golang.org/x/crypto/@v/v0.4.0.mod
Update: I tried using SSL_CERT_DIR based on the comment from @Ouroborus and Where is Golang picking up root CAs from?. Same results:
env SSL_CERT_FILE=/usr/ports/security/age/tmp/20221230/Cisco_Umbrella_Root_CA-plus-sys.crt go mod download -x all
.
.
# get https://proxy.golang.org/golang.org/x/crypto/@v/v0.4.0.mod: Get "https://proxy.golang.org/golang.org/x/crypto/@v/v0.4.0.mod": x509: certificate signed by unknown authority
That file is a 'PEM certificate' according to file(1). And it works when I feed it to wget (as described above). The go docs for SSL_CERT_FILE aren't clear (to me) what it expects for the file format, or I missed where that is specified.
