How to perform https request with go against incomplete TLS certificate?

Question

I'm trying to make an https request in go against a URL which has an incomplete TLS certificate chain. Here's the relevant portion from the Qualys test tool, which shows the certificate chain is missing "Symantec Class 3 Secure Server CA - G4" :

Most browsers do cope with this, presumably because they have the Symantec cert preloaded? A simple golang example, however, will fail with the error x509: certificate signed by unknown authority

package main

import (
"log"
"net/http"
)

func main() {

    _, err := http.Get("https://www.example.com/")
    if err != nil {
        log.Fatal(err)
    } else {
        log.Println("Success!") 
    }
}

I've notified the site in question, but is there a way I can insert the missing certificate into the certificate store go is using?

Answer 1

To resolve this, I just updated the system certificate store on the client to include the missing intermediate certificate.

The client was running on an Ubuntu based server, so this fixed the issue:

#download certificate
cd /usr/local/share/ca-certificates
curl -O https://symantec.tbs-certificats.com/SymantecSSG4.crt

#dump the fingerprint
openssl x509 -noout -fingerprint -sha256 -inform pem -in SymantecSSG4.crt 

I checked the output matched the fingerprint the test tool reported I was missing:

SHA256 Fingerprint=EA:E7:2E:B4:54:BF:6C:39:77:EB:D2:89:E9:70:B2:F5:28:29:49:19:00:93:D0:D2:6F:98:D0:F0:D6:A9:CF:17

Then I updated the certificate store with this:

update-ca-certificates