If you specify a CA certificate to use in the proxy to verify the identity of the backend service, the certificate will en up as entry in tlsConfig.ClientCAs but the godocs are stating that:
// ClientCAs defines the set of root certificate authorities
// that servers use if required to verify a client certificate
// by the policy in ClientAuth.
So the CA-certificate should be installed there when preparing a server side tlsConfig. When preparing a client side config it should be placed in RootCAs instead (so the fix is trivial).
I think the behaviour has become more strictly with newer go-versions. I think it used to work.
currently I'm getting a transport: authentication handshake failed: x509: certificate signed by unknown authority
I'm experiencing this same issue. For now I'm going to have to set tls_noverify, which is not optimal.
This seems like a bug with a fairly straightforward fix (changing the set value). Can I help you get a fix for this merged @jonahbron?
Of course @johanbrandhorst , I just submitted a PR that assigns to the correct property. Completed based on @trusch's comments and the documentation.
Most helpful comment
currently I'm getting a
transport: authentication handshake failed: x509: certificate signed by unknown authority