Golang中解决子进程获取"https://google.com"时证书验证失败问题:tls: failed to verify certificate: SecPolicyCreateSSL error: 0
Golang中解决子进程获取"https://google.com"时证书验证失败问题:tls: failed to verify certificate: SecPolicyCreateSSL error: 0
以下是可以使用 go run main.go 复现的 main.go 文件:
package main
import (
"encoding/json"
"fmt"
"io"
"log"
"net/http"
"os"
"syscall"
"time"
)
// Mark of daemon process - system environment variable _GO_DAEMON=1
const (
MARK_NAME = "_GO_DAEMON"
MARK_VALUE = "1"
)
// Default file permissions for log and pid files.
const FILE_PERM = os.FileMode(0640)
// WasReborn returns true in child process (daemon) and false in parent process.
func WasReborn() bool {
return os.Getenv(MARK_NAME) == MARK_VALUE
}
// A Context describes daemon context.
type Context struct {
// If PidFileName is non-empty, parent process will try to create and lock
// pid file with given name. Child process writes process id to file.
PidFileName string
// Permissions for new pid file.
PidFilePerm os.FileMode
// If LogFileName is non-empty, parent process will create file with given name
// and will link to fd 2 (stderr) for child process.
LogFileName string
// Permissions for new log file.
LogFilePerm os.FileMode
// If WorkDir is non-empty, the child changes into the directory before
// creating the process.
WorkDir string
// If Chroot is non-empty, the child changes root directory
Chroot string
// If Env is non-nil, it gives the environment variables for the
// daemon-process in the form returned by os.Environ.
// If it is nil, the result of os.Environ will be used.
Env []string
// If Args is non-nil, it gives the command-line args for the
// daemon-process. If it is nil, the result of os.Args will be used.
Args []string
// Credential holds user and group identities to be assumed by a daemon-process.
Credential *syscall.Credential
// If Umask is non-zero, the daemon-process call Umask() func with given value.
Umask int
// Struct contains only serializable public fields (!!!)
abspath string
logFile *os.File
nullFile *os.File
rpipe, wpipe *os.File
}
func (d *Context) SetLogFile(fd *os.File) {
d.logFile = fd
}
func (d *Context) openFiles() (err error) {
if d.PidFilePerm == 0 {
d.PidFilePerm = FILE_PERM
}
if d.LogFilePerm == 0 {
d.LogFilePerm = FILE_PERM
}
if d.nullFile, err = os.Open(os.DevNull); err != nil {
return
}
if len(d.LogFileName) > 0 {
if d.LogFileName == "/dev/stdout" {
d.logFile = os.Stdout
} else if d.LogFileName == "/dev/stderr" {
d.logFile = os.Stderr
} else if d.logFile, err = os.OpenFile(d.LogFileName,
os.O_WRONLY|os.O_CREATE|os.O_APPEND, d.LogFilePerm); err != nil {
return
}
}
d.rpipe, d.wpipe, err = os.Pipe()
return
}
func (d *Context) closeFiles() (err error) {
fmt.Println("closeFiles")
cl := func(file **os.File) {
if *file != nil {
(*file).Close()
*file = nil
}
}
cl(&d.rpipe)
cl(&d.wpipe)
cl(&d.logFile)
cl(&d.nullFile)
return
}
func (d *Context) prepareEnv() (err error) {
if d.abspath, err = os.Executable(); err != nil {
return
}
fmt.Println("abspath", d.abspath)
if len(d.Args) == 0 {
d.Args = os.Args
}
mark := fmt.Sprintf("%s=%s", MARK_NAME, MARK_VALUE)
if len(d.Env) == 0 {
d.Env = os.Environ()
}
d.Env = append(d.Env, mark)
return
}
func (d *Context) files() (f []*os.File) {
log := d.nullFile
if d.logFile != nil {
log = d.logFile
}
f = []*os.File{
d.rpipe, // (0) stdin
log, // (1) stdout
log, // (2) stderr
d.nullFile, // (3) dup on fd 0 after initialization
}
return
}
func (d *Context) reborn() (child *os.Process, err error) {
if !WasReborn() {
child, err = d.parent()
} else {
err = d.child()
}
return
}
func (d *Context) parent() (child *os.Process, err error) {
if err = d.prepareEnv(); err != nil {
return
}
defer d.closeFiles()
if err = d.openFiles(); err != nil {
return
}
attr := &os.ProcAttr{
Dir: d.WorkDir,
Env: d.Env,
Files: d.files(),
Sys: &syscall.SysProcAttr{},
}
fmt.Println("parent startProcess")
if child, err = os.StartProcess(d.abspath, d.Args, attr); err != nil {
return
}
d.rpipe.Close()
encoder := json.NewEncoder(d.wpipe)
err = encoder.Encode(d)
fmt.Println("parent done")
// if this sleep keeps the parent around, it will work.
// time.Sleep(3 * time.Second)
return
}
func (d *Context) child() (err error) {
decoder := json.NewDecoder(os.Stdin)
if err = decoder.Decode(d); err != nil {
return
}
return
}
func main() {
daemonContext := &Context{
PidFileName: "test.pid",
PidFilePerm: 0644,
LogFileName: "test.log",
LogFilePerm: 0640,
WorkDir: "/tmp",
Umask: 027,
Args: []string{"SecPolicyCreateSSL"},
}
d, err := daemonContext.reborn()
if err != nil {
log.Fatalln(err)
}
if d != nil { // return the parent process since it's now forked into a child
return
}
time.Sleep(2 * time.Second)
fmt.Println("doing get...")
resp, err := http.Get("https://google.com")
if err != nil {
log.Println(err)
return
}
defer resp.Body.Close()
body, err := io.ReadAll(resp.Body)
if err != nil {
log.Println(err)
return
}
fmt.Println(string(body)[:100])
return
}
运行后,你会在 test.log 中看到:
doing get...
2024/07/23 13:07:21 Get "https://google.com": tls: failed to verify certificate: SecPolicyCreateSSL error: 0
现在,在 parent 函数中,取消注释 // time.Sleep(3 * time.Second) 然后再次运行。
你应该会看到它正常工作:
doing get...
<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta content
看起来父进程过早关闭会导致子进程(我猜测)在 Linux 和 macOS 上无法获得适当的环境。
不过,我并不完全确定原因。我已经尝试深入到我已知的底层去探究,但还没有找到原因。有人知道为什么这不可能实现吗?
我希望父进程能够在子进程之前正常退出,这样我就可以使用 Go 二进制文件作为守护进程/服务的控制器。但我无法保证 HTTPS 调用会在父进程退出之前发生。
更多关于Golang中解决子进程获取"https://google.com"时证书验证失败问题:tls: failed to verify certificate: SecPolicyCreateSSL error: 0的实战教程也可以访问 https://www.itying.com/category-94-b0.html
