Avatar (Fabio Alessandro Locati|Fale)'s blog

Why you should bundle the root CAs in your image

July 13, 2018

If you have ever used Docker or any other Linux OCI container system, you inevitably have incurred in the following error:

x509: failed to load system roots and no roots provided

This message is remembering you that you forgot to provide Root Certificate Authorities to your application. There are two different ways to solve this:

  1. mount the /etc/ssl/certs folder from the machine where the container is running
  2. bundling the root CAs in your image

As you may imagine from the title, I believe that the second option is by far better than the first one.

Read More

Walkthrough a PEM file in Go

December 21, 2017

A few months ago, I posted how to create a PKI in Go. Today I’d like to add share a useful function (at least from my point of view) that I found myself to write.

The problem arose when I had a function that required as input a *pem.Block of the public key, but all I had was the PEM file containing, as you can imagine:

I think this is a typical situation, and for this, I’d like to share a function I wrote to extract it. I know that it’s probably not perfect, but it could be a good starting point for many of you, and if you have suggestions, please leave a comment down below or send me an email, and I’ll update the post!

Read More

Let's Encrypt GA

April 13, 2016

Yesterday, Let’s Encrypt moved from beta to GA. During the beta phase, which started last September, more than 1.7 million certificates were issued.

I think this is a crucial step for the project and overall for the Internet as well. Until now, the only way to obtain a valid TLS certificate was to pay a CA. This artificial constraint made no sense since the CAs were forcing users to buy an insurance policy that made no sense (and often, it was completely worthless).

Read More