doesn't work with self-signed certs on server

Question

doesn't work with self-signed certs on server

tessus opened this issue a year ago · comments

Helmut K. C. Tessarek commented a year ago

rpaste file.txt

Request error: `https://server.example.com: Connection Failed: tls connection init failed: invalid peer certificate contents: invalid peer certificate: UnknownIssuer`

Is there a local store that the rust tls implementation checks for root CAs? Either way, IMO I should still be able to use rpaste with a server that uses a self-signed cert.

Orhun Parmaksız · Answer 1 · Tue Jun 13 2023 06:55:29 GMT+0800 (China Standard Time)

Hmm, interesting. Found this issue in case it is related: rustls/rustls#841

Can you provide the steps for reproducing this error? I'm not sure if I can trace it without re-creating the case that it fails.

Helmut K. C. Tessarek · Answer 2 · Tue Jun 13 2023 06:58:44 GMT+0800 (China Standard Time)

build rpaste with: cargo install rustypaste-cli
setup rustypaste behing a reverse proxy with tls terminated at the proxy using a self signed cert
run rpaste file.txt

Orhun Parmaksız · Answer 3 · Tue Jun 13 2023 07:00:26 GMT+0800 (China Standard Time)

setup rustypaste behing a reverse proxy with tls terminated at the proxy using a self signed cert

I'm curious about how you set up this part.

Helmut K. C. Tessarek · Answer 4 · Tue Jun 13 2023 07:08:50 GMT+0800 (China Standard Time)

Well, I have my own CA with which I sign all certificates. I was using the System -> Trust -> Certificates from OPNsense.

In my home network, I use self-signed certs, but signed with a CA I created. But of course this CA is not trusted by clients. So what I have to do is import the CA to the browser (and/or the OS's cert store) to not get a warning. The same is true for curl. I have to pass the CA to curl or add the CA to the OS's cert store that curl reads.

There are usually 2 ways to solve this in apps:

allow to pass a CA that is then used to validate the cert
ignore UnknownIssuer errors (but do not ignore other errors!)

Helmut K. C. Tessarek · Answer 5 · Thu Jun 22 2023 11:12:23 GMT+0800 (China Standard Time)

I found a solution.

ureq = { version = "2.7.1", default-features = true, features = ["native-certs"] }

This does the trick. However, I'd rather add a feature to rustypaste-cli, e.g. use-native-certs.

So, cargo install rustypaste-cli --features use-native-certs would build it with the dependency feature native-certs and otherwise without it.

I haven't been able to add variable dependency features in the Cargo.toml file.

Do you know, if this is possible?

Orhun Parmaksız · Answer 6 · Fri Jun 23 2023 21:36:42 GMT+0800 (China Standard Time)

I found a solution.

🥳🥳🥳

ureq = { version = "2.7.1", default-features = true, features = ["native-certs"] }

Great!

This does the trick. However, I'd rather add a feature to rustypaste-cli, e.g. use-native-certs.

So, cargo install rustypaste-cli --features use-native-certs would build it with the dependency feature native-certs and otherwise without it.

I haven't been able to add variable dependency features in the Cargo.toml file.

Do you know, if this is possible?

Yup, just updated the #18 according to that.