go - could not read from connection:remote error: tls: unknown certificate

Question

I'm creating a low level HTTP/2 server in Go and for testing I want to use a self-signed certificate. I'm using openssl and this command to generate my certs:

openssl req -x509 -newkey rsa:4096 -nodes -sha256 -subj /CN=localhost -keyout private.pem -out cert.pem

all seems well and when I curl -kv https://127.0.0.1:443 --http2-prior-knowledge I get this handshake

When I try to connect with chrome I get this error code NET::ERR_CERT_AUTHORITY_INVALID, of course I choose to continue, but my servers exits the connection with this could not read from connection:remote error: tls: unknown certificate.

I have tried making different certs but no luck. How can I have a TLS connection with my server and chrome?

Here is how I setup tls:

    cer, err := tls.LoadX509KeyPair("cert.pem", "private.pem")
    if err != nil {
        log.Println(err)
        return
    }

    config := &tls.Config{Certificates: []tls.Certificate{cer}}
    ln, err := tls.Listen("tcp", "localhost:443", config) 
    if err != nil {
        log.Println(err)
        return
    }
    defer ln.Close()

question from:https://stackoverflow.com/questions/65838917/could-not-read-from-connectionremote-error-tls-unknown-certificate

Answer 1

Chrome gives you NET::ERR_CERT_AUTHORITY_INVALID exactly because your certificate is self-signed. To make this work you would need to create your own CA (Certificate Authority), add it to Chrome as trusted and then sign your server certificate with that CA (so that Chrome can verify certificate was signed by trusted CA).

See how to do it here: Getting Chrome to accept self-signed localhost certificate