GOINSECURE to enable http downlaods on packages from Github

Question

I'm developing a CLI app at work in order to automate a couple tedious tasks, to do this I need to install a couple packages like gotp. I noticed that installing this new package into my project this error pops up.

go get github.com/xlzd/gotp
go: module github.com/xlzd/gotp: Get "https://proxy.golang.org/github.com/xlzd/gotp/@v/list": x509: certificate signed by unknown authority

I suppose this has something to do with my work PC's firewall or security configuration, since I was able to install a couple packages before the firewall was enabled on my PC. I read about the environment variable GOINSECURE which would enable go get to download packages over HTTP. So here's what I've done in my case.

export GOINSECURE="proxy.golang.org/*,github.com,github.com/*"

Still the same error pops up, am I missing something in my configuration?

Answer 1

I also encountered this error when I installed internal package, the solution is selected proper proxy, I change my GOPROXY to internal proxy site address, and made GOPRIVATE, GONOPROXY, GONOSUMDB to null value. In your case, you may attempt

GOINSECURE="proxy.golang.org/*,github.com,github.com/*"
GONOSUMDB="proxy.golang.org/*,github.com,github.com/*"
GOPRIVATE="proxy.golang.org/*,github.com,github.com/*"

Answer 2

I struggled with this when trying to use go inside a bash shell in a ubuntu22 container running inside docker desktop for windows on a corporate network.

I want to do

go get github.com/Masterminds/sprig

But kept getting x509 errors

go get github.com/Masterminds/sprig
go: github.com/Masterminds/[email protected]: Get "https://proxy.golang.org/github.com/%21masterminds/goutils/@v/v1.1.1.mod": x509: certificate signed by unknown authority

1. go get --insecure is indeed deprecated and don't work any more

2. export GOINSECURE=github.com didn't work at first

3. it seemed to be more a combination of using GOINSECURE with

   git config --global http.sslverify false

One I'd set this sslVerify to false, it got further..

so I kept iterating the go get github.com/Masterminds/sprig and each time it got further.. calling out another url (probably a package dependency)

go get github.com/Masterminds/sprig
go: golang.org/x/[email protected]: unrecognized import path "golang.org/x/crypto": https fetch: Get "https://golang.org/x/cr
ypto?go-get=1": x509: certificate signed by unknown authority

each time I added the url to the GOINSECURE i.e.

export GOINSECURE=github.com,golang.org

go get github.com/Masterminds/sprig
go: sigs.k8s.io/[email protected]: unrecognized import path "sigs.k8s.io/yaml": https fetch: Get "https://sigs.k8s.io/yaml?go-get=1": x509: certificate sig
ned by unknown authority

export GOINSECURE=github.com,golang.org,sigs.k8s.io

Until ultimately everything was downloaded

go get github.com/Masterminds/sprig
go: downloading github.com/Masterminds/sprig v2.22.0+incompatible
go: downloading github.com/Masterminds/goutils v1.1.1
go: downloading github.com/Masterminds/semver v1.5.0
go: downloading github.com/google/uuid v1.3.0
go: downloading github.com/huandu/xstrings v1.3.2
go: downloading github.com/imdario/mergo v0.3.12
go: downloading github.com/mitchellh/copystructure v1.2.0
go: downloading golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa
go: downloading github.com/mitchellh/reflectwalk v1.0.2
""/bin/go build prehelm.go
go: downloading sigs.k8s.io/yaml v1.2.0
go: downloading gopkg.in/yaml.v2 v2.3.0

I hope that helps, in short

1. ensure you have git config --global http.sslverify false
2. add the sites to you GOINSECURE= one by one until done.
3. Alternatively but less secure you can add export GOINSECURE=*