SSL certificates cannot be loaded

[bfreis]

Hi!

For some reason, when using this new version my code fails to make any HTTPS connections. I investigated and noticed that x509.SystemCertPool() returns a pool with no certificates. I checked that the CA certificate files are indeed there in the Lambda environment, but it fails. I then tried to copy-and-paste the x509/example_test.go test functions, specifically ExampleCertificate_Verify() and ExampleParsePKIXPublicKey() https://golang.org/src/crypto/x509/example_test.go?m=text and it fails when parsing the certificate files.

I also tried to go-bindata a PEM file with certificates that I can for sure parse on my local machine and then try to have x509.SystemCertPool() add that, but I get the same certificate parsing issue.

It's very strange: parsing certificates fail in the Lambda environment, but it works on my machine.

With the previous version (ie, eawsy/aws-lambda-go), it works fine! The exact same code, with the exact same certificate data and tests, works fine on that previous version.

Have you seen this? Any ideas what could be causing it?

Thanks!
Bruno

[bfreis]

Here's the error when it tries to parse an SSL cert:

failed to parse certificate from server: asn1: structure error: tags don't match (4 vs {class:0 tag:16 length:1227 isCompound:true}) {optional:false explicit:false application:false defaultValue: tag: stringType:0 timeType:0 set:false omitEmpty:false}

[bfreis]

Oh, I also tried invoking my code directly (ie, I added a go build instruction on the example Makefile to generate a binary) inside a Docker container using the -shim image, it was successful. I also tried to run the code using the same binary inside the original amazonlinux docker image and it was also successful.

Maybe it's some mysterious issue related to the plugin mechanism?

[fsenart]

Hi @bfreis. We heard about this problem a few days ago in the gitter channel. After investigation, it seems to be related to golang plugins. We've informed the golang team golang/go#18584.
In the meantime we are actively searching a workaround.

[fsenart]

@bfreis can you please test with the updated docker image docker pull eawsy/aws-lambda-go-shim:latest. As far as I've tested, the issue seems resolved with the release of go 1.8rc1 golang/go@3de6e96.
Please keep me informed asap.

[bfreis]

I'm now getting a different error message when I invoke the lambda:

Unable to import module 'handler': plugin.Open: plugin was built with a different version of package github.com/eawsy/aws-lambda-go-core/service/lambda/runtime

EDIT: I found the cause of the issue above and got it to work! For anybody with the same issue: I did some changes to the Makefile to get it to work with my particular environment. I have multiple GOPATH roots, and multiple packages. I changed the docker volumes I mounted into the container, and I was not using "/go" as the container mount point anymore. This caused the aws-lambda-go-core lib to be imported from a different path. And this was giving the message above. When I made some more changes to make sure that the GOPATH providing aws-lambda-go-core was indeed /go, the problem disappeared!

Also, the SSL issue has been resolved as well.

I believe this issue can be closed!