Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL cert issue with rustify >0.5.3 #98

Open
rldleblanc opened this issue Jun 14, 2024 · 4 comments
Open

SSL cert issue with rustify >0.5.3 #98

rldleblanc opened this issue Jun 14, 2024 · 4 comments
Labels
bug Something isn't working

Comments

@rldleblanc
Copy link

Our Vault uses certs signed by our CA and the client has the CA certs in the host trust store. I was able to pin rustify to 0.5.3 and things work just fine, but removing the pin causes this error.

[2024-06-14T19:05:55Z ERROR rustify::clients::reqwest] error=Error sending HTTP request
[2024-06-14T19:05:55Z ERROR rustify::client] error=Error sending HTTP request
[2024-06-14T19:05:55Z ERROR rustify::endpoint] error=Error sending HTTP request
[2024-06-14T19:05:55Z ERROR vaultrs::auth::approle] error=An error occurred with the request
thread 'main' panicked at /home/user/projects/my_project/systemvault/src/lib.rs:355:18:
called Result::unwrap() on an Err value: RestClientError { source: RequestError { source: error sending request for url (https://myvault.example.com:8200/v1/auth/approle/login): error trying to connect: invalid peer certificate: UnknownIssuer

Caused by:
0: error trying to connect: invalid peer certificate: UnknownIssuer
1: invalid peer certificate: UnknownIssuer, url: "https://myvault.example.com:8200/v1/auth/approle/login", method: "POST" } }
note: run with RUST_BACKTRACE=1 environment variable to display a backtrace
@Haennetz Haennetz added the bug Something isn't working label Jun 19, 2024
@Haennetz
Copy link
Collaborator

I think that's related to this change from rustify.
Rustify upgraded the dependencies to http 1 and a newer version of reqwest.
I will also try to reproduce this

@zrleblanc
Copy link

Looking some more into this, the system is not able to automatically pick up the CA cert from the OS cert store. If I set .ca_certs() in the VaultClientSettingsBuilder to include the path to the cert, everything is fine. This is not ideal in case our certs are signed by a different CA later. src/client.rs line 150 indicates that VAULT_CAPATH will be used, but trying to provide a directory crashes the code as it only tries to open files and not detect that it's a directory (src/client.rs line 101).
I'm trying to leverage rustls-platform-verifier, but I can't seem to get it to load the OS cert store automatically.

@Haennetz
Copy link
Collaborator

Haennetz commented Oct 5, 2024

Thanks for taking the time to look into it again.
I also checked the things you described and couldn't reproduce it.
I Tested it on Linux with the default features enabled.
What I did:
I started a local vault instance on my system with the following command:

vault server -dev-root-token-id=root -dev -dev-tls -dev-tls-cert-dir /tmp/vcert -dev-tls-san localhost

I created a quick rust project that haste the following code in it:

use vaultrs::client::{VaultClient, VaultClientSettingsBuilder};

#[tokio::main]
async fn main() {
    let client = VaultClient::new(
        VaultClientSettingsBuilder::default()
            .address("https://127.0.0.1:8200")
            .token("root")
            .build()
            .unwrap(),
    )
    .unwrap();
    vaultrs::sys::health(&client).await.unwrap();
}

Then I started a new terminal and copied the directory /etc/ssl/certs to /tmp without the vault_ca file
After that I run the following command:

$ VAULT_CAPATH=/tmp/certs/ cargo run
   Compiling vtest v0.1.0 (/tmp/vtest)
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 1.99s
     Running `target/debug/vtest`
thread 'main' panicked at src/main.rs:13:41:
called `Result::unwrap()` on an `Err` value: RestClientError { source: RequestError { source: error sending request for url 
(https://127.0.0.1:8200/v1/sys/health): error trying to connect: invalid peer certificate: UnknownIssuer

Caused by:
    0: error trying to connect: invalid peer certificate: UnknownIssuer
    1: invalid peer certificate: UnknownIssuer, url: "https://127.0.0.1:8200/v1/sys/health", method: "GET" } }
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

And the program panics.
Now I copied the vault ca cert to the directory and let the program runs without errors.

Can you send me your Cargo.toml and on which operating system you are running the program?

@zrleblanc
Copy link

Okay, I see what's going on here. If I export VAULT_CAPATH=/etc/ssl/certs, then it's working (both the ability to use a path and finding the enterprise CA cert). But if I specify .ca_certs(vec!["/etc/ssl/certs".to_string()]) in the builder then it panics (with a different error about not being able to read files). Since Vault is a minor component in the app, it would be nice to just automatically use the OS cert store without exporting VAULT_CA* like it does with rustify 0.5.3 (we didn't specify a cert or path for that version).

[package]
name = "vault"
version = "0.1.0"
edition = "2021"

# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

[dependencies]
log = "0.4"
vaultrs = "0.7"
reqwest = "0.12"
rustify = "=0.6.0"
serde_json = "1.0"
async-trait = "0.1"
vaultrs-login = "0.2"
tokio = { version = "1", features = ["full"] }
serde = { version = "1", features = ["derive"] }

config = { path = "../config" }

[dev-dependencies]
tempfile = "3.12"
cargo-tarpaulin = "0.31"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rldleblanc @Haennetz @zrleblanc