GO https request, time did not serialize back to the original value

Question

I'm starting to learn golang and I'm trying to make a simple http client that will get a list of virtual machines from one of our oVirt clusters. The API that I'm trying to access has a self-signed certificate (auto generated during the cluster installation) and golang's http.client encounters a problem when serializing the time from the certificate. Below you can find the code and the output.

package main

import (
    "fmt"
    "io/ioutil"
    "net/http"
    "crypto/tls"
)

func do_request(url string) ([]byte, error) {

    // ignore self signed certificates
    transCfg := &http.Transport{
        TLSClientConfig: &tls.Config {
            InsecureSkipVerify: true,
        },
    }

    // http client 
    client := &http.Client{Transport: transCfg}

    // request with basic auth
    req, _ := http.NewRequest("GET", url, nil)
    req.SetBasicAuth("user","pass")
    resp, err := client.Do(req)

    // error?
    if err != nil {
        fmt.Printf("Error : %s", err)
        return nil, err

    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)
    return []byte(body), nil
}

func main() {

    body, _ := do_request("https://ovirt.example.com/")
    fmt.Println("response Status:", string(body))
}

and the error when I'm trying to compile:

$ go run http-get.go
Error : Get https://ovirt.example.com/: tls: failed to parse certificate from server: asn1: time did not serialize back to the original value and may be invalid: given "141020123326+0000", but serialized as "141020123326Z"response Status: 

Is there any way to ignore this verification? I tried making a request using other programming languages (python, ruby) and skipping insecure certificates seems to be enough.

Thank you!

PS: I know the proper solution is to change the certificate with a valid one, but for the moment I cannot do this.

Answer 1

Unfortunately, you've encountered an error that you cannot get around in Go. This is buried deep in the cypto/x509 and encoding/asn1 packages without a way to ignore. Specifically, asn1.parseUTCTime is expecting the time format to be "0601021504Z0700", but your server is sending "0601021504+0000". Technically, that is a known format but encoding/asn1 does not support it.

There are only 2 solutions that I can come up with that do not require a code change for golang.

1) Edit the encoding/asn1 package in your go src directory and then rebuild all the standard packages with go build -a

2) Create your own customer tls, x509 and asn1 packages to use the format your server is sending.

Hope this helps.

P.S. I've opened an issue with the Go developers to see if it can resolved by them at some later point Issue Link

Possible ASN1 UtcTime Formats.