Certificate verification failure for endpoint "wss://ws-direct.exchange.coinbase.com"

I have no problem connecting to the older “wss://ws-feed.exchange.coinbase.com”, but get an error to the tune of x509: “*.exchange.coinbase.com” certificate is not standards compliant when connecting to the new direct market endpoint. On Mac OS using golang.

Did a bit of light sleuthing and found this: crypto/x509: "certificate is not standards compliant" on MacOS · Issue #51991 · golang/go · GitHub

Apple enforces their SCT requirements on all publicly trusted certificates as part of its base TLS policy (which we use via SecPolicyCreateSSL , since we are generally targeting the web PKI.) Publicly trusted certificates that lack embedded SCTs are very rare, making up something like 0.01% of all publicly trusted certs, but they are out there (the AWS example being probably the most common.)

I won’t pretend to understand in detail what’s going on, but it seems to do with how AWS is issuing certs and how it interplays with Mac OS specs? There are some workarounds available, but it’d be nice if the certs were just created correctly in the first place, like how it was for the old endpoint “wss://ws-feed.exchange.coinbase.com”.

Hello @ano334! Welcome back to the forum! For the details regarding your concern, we will check on this for you with our team to see how we can best assist. We’ll get back to you once we have more information. Keep in touch!

1 Like

Hi @ano334! Thank you for patiently waiting. However we need you to provide us with the following information so that we can further assist you with the concern:

  • Can you please provide the details of what go library you are using?
  • Kindly send us a code snippet that you are using including the message you are trying to send.
  • Can you provide a screenshot to demonstrate the problem you are encountering?

Once you send us the information requested above, we’ll work to quickly address this issue. We appreciate your patience and understanding.

var wsDialer websocket.Dialer
_, _, err := wsDialer.Dial("wss://ws-direct.exchange.coinbase.com", nil)
if err != nil {
    fmt.Println("Error: %s", err) // Observe the returned error: x509: “*.exchange.coinbase.com” certificate is not standards compliant
}
  • No message is even sent at this point, as the error is during handshake / establishing the connection.

This issue may be limited to the golang runtime implementation for Mac OS, or any other implementation that strictly enforces SCT requirements as part of its TLS policy. At least that’s the hint I’m getting from the issue I linked.

Hi @ano334! Thank you for providing the information we need. Based on the information we gathered from our team, if you are using GoLang on MacOs, you will need to download the certificate and use it. However, there are some issues with AWS NLB and GoLang on MacOS, you may visit this link for more information about the issues: crypto/x509: "certificate is not standards compliant" on MacOS · Issue #51991 · golang/go · GitHub

We hope we have provided clarity with your concerns. Have a great day!

1 Like