I’m trying to find the right configuration for tls.Config - both on the client-side and the server-side that satisfies the following constraints:
- We generate separate certificates from a CA - one for the client and a distinct and separate one for the server
- Certificates are generated using golang x509.CreateCertificate - not openssl .
- Client’s tls.Config must specifies InsecureSkipVerify is false
- Server’s tls.Config must specifies ClientAuth is RequireAndVerifyClientCert
I’ve not been able to generate Certificates that satisfy this set of constraints and allows for a connection to occur. The closest that I come is when I use the CA cert for both the client and the server - all works between the client and the server only in that case.
If I generate a CA cert and use it to create and sign the server, and generate a client cert signed by the CA Cert - I fail with:
failed to connect: x509: certificate signed by unknown authority (possibly because of “crypto/rsa: verification error” while trying to verify candidate authority certificate “localhost”).
Same error occurs if the client uses the CA Cert to connect to the server (when the server uses a Cert generated and signed by the CA).
When I tell the server to use the CA Cert for the server, and the client uses a cert generated and signed by the CA, I fail AFTER the Dial when I attempt to read on the connection with:
Err reading on conn: remote error: tls: bad certificate
only when the Server and the Client use the IDENTICAL certificate will the Client and Server connect and exchange data.
All thoughts and ideas welcome. I can post a git repo if anyone wants to dive in and take a peek. Fair warning - I’m doing this to demonstrate dynamic certificate generation with dynamic tls.Config and validation using GetConfigForClient and VerifyPeerCertificate using a customer validator.