How can I make Go accept a self-signed certificate for TLS client authentication?

Question

I'm working with AWS API Gateway and a Go back end. In order to ensure all connections are going through API Gateway, I need to use TLS client authentication (aka two-way authentication, mutual authentication).

In principle, this works with something like:

func enableClientAuth(server *http.Server, clientCertFile string) error {
    clientCert, err := ioutil.ReadFile(clientCertFile)
    if err != nil {
        return err
    }
    caCertPool := x509.NewCertPool()
    caCertPool.AppendCertsFromPEM(clientCert)

    tlsConfig := &tls.Config{
        ClientAuth: tls.RequireAndVerifyClientCert,
        ClientCAs:  caCertPool,
    }
    tlsConfig.BuildNameToCertificate()
    server.TLSConfig = tlsConfig
    return nil
}

The problem I'm having is this error:

tls: failed to verify client's certificate: x509: certificate signed by unknown authority (possibly because of "x509: invalid signature: parent certificate cannot sign this kind of certificate" while trying to verify candidate authority certificate "ApiGateway")

This seems to be because the client certificate is self-signed, but is not a CA certificate, Go will not accept the signature. (Doesn't this defeat the purpose of a self-signed certificate? Most self-signed certs I have seen are not CA certs.) Unfortunately, I have no control over how the client certificate is generated or sent; it is all done by AWS. Is there something I can do to get a certificate in the ClientCAs cert pool that will cause Go to accept the API Gateway client certificate?

Example client certificate:

-----BEGIN CERTIFICATE-----
MIIC6DCCAdCgAwIBAgIISIIYdm+rIgMwDQYJKoZIhvcNAQELBQAwNDELMAkGA1UE
BhMCVVMxEDAOBgNVBAcTB1NlYXR0bGUxEzARBgNVBAMTCkFwaUdhdGV3YXkwHhcN
MTYwMzMwMTgxNTE4WhcNMTcwMzMwMTgxNTE4WjA0MQswCQYDVQQGEwJVUzEQMA4G
A1UEBxMHU2VhdHRsZTETMBEGA1UEAxMKQXBpR2F0ZXdheTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBALVVG0Ng8IbDy0tdw2yp2GHXYV8jDPJxsRXAstZ+
5N4ngG/ySPyv1i2OOvzKqUNzyKptsUbgtG/0XDWRI0qDATrsxXH6xy8lBeRZHNi4
ko6EP9BevyxB5YtoKqEoXbKAn4/hNWmac8tnENkLww0qFpPOhtxb0B2DHv+lkqZo
qBBBBZQ5Dal95h0cpUwoLRr5w3HsYzPcX1OUtQ/5cH0M0p/XvkB4jrZxsh1aQGsf
B9+temIJJtKvmmZ0C/dZ+neJhA+I526eUENeqmm5R1irM7sj4FDaU4bLR+L/+R6s
KtDLT4jPqf5vFYfMuEmyk4b5TBATJxAA47Y+gRFRe6Aon0ECAwEAATANBgkqhkiG
9w0BAQsFAAOCAQEAmFdXuy5Y6zdrIZHd7XCt/Q6jsU3hFGaEGRbDEFBwh6ixz58e
1egiUnIeUWZTFSzjQSY3IhYE7dvW+BVkjdLybhB3rim29Fb67AkBtRmQOLnHz426
bflOG46BSwNTvIEytOr0O6ds49bD34UrHELUCGmHJqIhBSrVCFOCwlf/Mksw9jxD
xo/YmJe2R4xNklvxWiFHOXrnGwrJ9yaWeQnCkRZBzfFLSZ26/fBnbkYUGn0lmtoB
e/rg/rgpwufbkhXA6CFX7adnLUKWqZgbmL5dpvLu9vB34ebfo4vE+o7AsgdloHBV
obcSyrLbZp25k/SlbOhSAqjjW1NaF+YypTxHFA==
-----END CERTIFICATE-----

Answer 1

@JohnWeldon's comment led me to the solution, which is that I need to modify the client Certificate struct after I load it. This requires decoding the PEM and parsing out the certificate. For the API Gateway client certificate, I had to set BasicConstraintsValid and IsCA to true and KeyUsage to KeyUsageCertSign; for my locally generated cert I only needed the latter two. Modifying the enableClientAuth() func in my question:

func enableClientAuth(server *http.Server, clientCertFile string) error {
    pemBytes, err := ioutil.ReadFile(clientCertFile)
    if err != nil {
        return err
    }

    pemBlock, _ := pem.Decode(pemBytes)
    clientCert, err := x509.ParseCertificate(pemBlock.Bytes)
    if err != nil {
        return err
    }

    clientCert.BasicConstraintsValid = true
    clientCert.IsCA = true
    clientCert.KeyUsage = x509.KeyUsageCertSign

    caCertPool := x509.NewCertPool()
    caCertPool.AddCert(clientCert)

    tlsConfig := &tls.Config{
        ClientAuth: tls.RequireAndVerifyClientCert,
        ClientCAs:  caCertPool,
    }
    tlsConfig.BuildNameToCertificate()
    server.TLSConfig = tlsConfig
    return nil
}