Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix: Load system-wide native cert on rustls #1589

Merged
merged 2 commits into from
Jan 31, 2024
Merged

Fix: Load system-wide native cert on rustls #1589

merged 2 commits into from
Jan 31, 2024

Conversation

NobodyXu
Copy link
Member

@NobodyXu NobodyXu commented Jan 31, 2024
edited
Loading

@NobodyXu
Copy link
Member Author

@arvid-norlander This PR might fix the issue you experienced.

It now enables reqwest/rustls-tls-native-certs feature, which now checks system-wide cert:

    [
        "/var/ssl",
        "/usr/share/ssl",
        "/usr/local/ssl",
        "/usr/local/openssl",
        "/usr/local/etc/openssl",
        "/usr/local/share",
        "/usr/lib/ssl",
        "/usr/ssl",
        "/etc/openssl",
        "/etc/pki/ca-trust/extracted/pem",
        "/etc/pki/tls",
        "/etc/ssl",
        "/etc/certs",
        "/opt/etc/ssl", // Entware
        "/data/data/com.termux/files/usr/etc/tls",
        "/boot/system/data/ssl",
    ]

And also checks environment variables:

/// The OpenSSL environment variable to configure what certificate file to use.
pub const ENV_CERT_FILE: &'static str = "SSL_CERT_FILE";

/// The OpenSSL environment variable to configure what certificates directory to use.
pub const ENV_CERT_DIR: &'static str = "SSL_CERT_DIR";

While it still doesn't seem to check the /etc/ca-certificates, it at least load a few others and support env, so it might solve your issue.

If it doesn't, I will add reading from /etc/ca-certificates in cargo-binstall in a separate PR.

@NobodyXu NobodyXu mentioned this pull request Jan 31, 2024
Open
@NobodyXu
Update Cargo.lock
39ce82e 
Signed-off-by: Jiahao XU <[email protected]>
@NobodyXu
Copy link
Member Author

Oh it should fix the issue for you - /etc/ca-certificates.conf merely lists the certs you wished to install to /etc/ssl/certs and /etc/ca-certificates is a dir containing updating scripts.

Since rustls-tls-native-certs includes /etc/ssl it should fix the issue for you.

@arvid-norlander can you try this PR locally please?

@NobodyXu NobodyXu requested a review from passcod January 31, 2024 13:10
@NobodyXu NobodyXu enabled auto-merge January 31, 2024 13:10
@NobodyXu NobodyXu added this pull request to the merge queue Jan 31, 2024
passcod
passcod approved these changes Jan 31, 2024
View reviewed changes
Copy link
Member

@passcod passcod left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wasn't aware you could set both those features, good to know

Merged via the queue into main with commit 6dc2a0a Jan 31, 2024
27 checks passed
@NobodyXu NobodyXu deleted the fix/cert branch January 31, 2024 14:59
@arvid-norlander
Copy link

arvid-norlander commented Feb 1, 2024
edited
Loading

Hi, today I'm at the office (behind the corporate proxy) so I gave this a try (even though you merged it already?).

It seems to work from a brief test (cargo run --bin=cargo-binstall -- cargo-binstall was able to install binstall itself successfully, while the latest release of cargo-binstall is unable to do the same).

@NobodyXu
Copy link
Member Author

NobodyXu commented Feb 1, 2024

@arvid-norlander Thank you, I will cut a new release this Sunday.

P.S. regarding the merge before testing, I was confident that this PR would fix many use cases of binstall, so I would like to merge it.

Has it turned out not working, I will continue investigating and create another PR at fixing the issue.

@NobodyXu NobodyXu mentioned this pull request Feb 3, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@passcod passcod passcod approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@NobodyXu @arvid-norlander @passcod