forcing fly under darwin to load system root ca by x509 method

[xtremerui]

Trying to fix concourse/concourse#2133

Whey @bsnchan had the issue I got a chance to check their environment. It seems like the issue is scoped to darwin where keychain manages system root CA and intermediate CA differently. If there is no ca_cert specified, fly tends to let tls to populate the RootCA itself, which ends up picking up the CA sets under system root only (not 100% sure if it is using the same way that x509 does. If it is then it would be a bug that golang could not fully load system CAs under darwin).

x509.SystemCertPool() instead will pick up from both places refer to here

A related read here mentions for adding intermediate CA to system root CA in darwin is prohibited thus fly in this case needs to load that from ~/Library/Keychains/login.keychain or /Library/Keychains/System.keychain

[vito]

this shouldn't be removed

[xtremerui]

oh my bad... it is "looks good" for validation.

[vito]

As far as I can tell, this should be equivalent. The Go docs for RootCAs say that if it's specified as nil, it uses the system cert pool. Were you able to confirm this fixes it?

[xtremerui]

@vito after test locally I can confirm this PR wont fix the problem. It turned out that x509/root_darwin.go doesn't pick up ANY intermediate certificate from /Library/Keychains/System.keychain. In my case it doesn't pick up my localhost intermediate ca, not Pivotal Intermediate CA and not DigiCert SHA2 ... etc. Note root CA is in yellow and intermediate ca is in blue.

Not sure if we gonna jump in this rabbit hole but chaining the certs when config atc tls_cert is probably the best solutions for now. I could update the original issue and close this PR.