Comments (13)
Hi!
@doums Can you provide more information on your configuration so that we can file an issue with rustls-native-certs?
Sorry for the response delay. Since our code has changed a lot, and, I don't remember how though, but finally managed to fix/work around the issue.
from hyper-rustls.
How did you build a configuration? If you used with_native_roots()
, this issue report probably makes more sense in the rustls-native-certs repo (I can move it for you if you like). The Unix implementation for that lives in https://github.com/rustls/rustls-native-certs/blob/main/src/unix.rs and depends on the openssl_probe crate. A workaround might be to use with_webpki_roots()
instead, which basically bakes the certificates into your Rust binary at compile time.
from hyper-rustls.
@doums Can you provide more information on your configuration so that we can file an issue with rustls-native-certs?
from hyper-rustls.
hola, mi amigos; I ran into a similar issue and am using with_native_roots()
--hopefully that's helpful
from hyper-rustls.
Hi @aaronArinder, thanks for commenting.
Can you share more detail? For example, what platform are you running on and which versions of the relevant crates are in play. It would also be helpful if you have a backtrace or a code snippet that reproduces.
from hyper-rustls.
Hello, I ran into similar isssue
panicked at 'no CA certificates found', /usr/local/cargo/registry/src/index.crates.io-6f17d22bba15001f/hyper-rustls-0.23.2/src/config.rs:48:9
from hyper-rustls.
please post:
- the log output up until that point
- details of your environment: operating system version, etc.
- if linux, please include the version of the ca-certificates package or your distributions equivalent of that.
from hyper-rustls.
https://github.com/rustls/hyper-rustls/blob/main/src/config.rs#L48 is an assertion which happens if there's no certs locally installed. IMO, this method should return a Result with an error on this case (or an Option, which is None if no certs are locally installed).
Checking if certs are locally installed prior to executing this function would require rewriting most of it.
from hyper-rustls.
I want to challenge for a bit that this shouldn't panic. In your particular use case, how are you going to handle an error from this API?
from hyper-rustls.
Falling back to with_webpki_roots
as my use-case doesn't require explicit use of the system roots. I just solely have a preference for them.
Using with_webpki_roots
now wouldn't be safe for all use-cases though as some users may explicitly only want to trust the system roots, or may want to work on systems with custom CAs installed.
If with_native_roots
is going to panic, I will have to re-implement a check if the system has native roots available to fix the fact this safe function panics on an OS resource which may not exist on a variety of configurations not existing. To do so would require rewriting most of this function, and in order to be safe, would require the documentation of this function to document it panics on this case and only on this case.
from hyper-rustls.
Falling back to
with_webpki_roots
as my use-case doesn't require explicit use of the system roots. I just solely have a preference for them.Using
with_webpki_roots
now wouldn't be safe for all use-cases though as some users may explicitly only want to trust the system roots, or may want to work on systems with custom CAs installed.If
with_native_roots
is going to panic, I will have to re-implement a check if the system has native roots available to fix the fact this safe function panics on an OS resource which may not exist on a variety of configurations not existing. To do so would require rewriting most of this function, and in order to be safe, would require the documentation of this function to document it panics on this case and only on this case.
If you want a similar effect, you can use the following code
fn https_config() -> HttpsConnector<HttpConnector> {
#[cfg(feature = "webpki-roots")]
{
return hyper_rustls::HttpsConnectorBuilder::new()
.with_webpki_roots()
.https_only()
.enable_http1()
.enable_http2()
.build();
}
#[cfg(not(feature = "webpki-roots"))]
{
return hyper_rustls::HttpsConnectorBuilder::new()
.with_native_roots()
.https_only()
.enable_http1()
.enable_http2()
.build();
}
}
from hyper-rustls.
That still panics if the system roots are attempted yet there aren't system roots on the system. That isn't actually falling back at runtime, which is the above discussed flow.
from hyper-rustls.
I was getting the same error as well. Tossed the line below into my Debian based Dockerfile and it fixed the issue:
# Update certificate store
RUN apt-get update && apt-get install -y ca-certificates && update-ca-certificates
from hyper-rustls.
Related Issues (20)
- Custom ALPN protocol HOT 3
- More elaborate custom server name HOT 1
- Cannot access peer certificates with example's TlsStream HOT 7
- `HttpsConnectorBuilder::enable_all_versions` doesn't enable ALPN for http/1.1 HOT 1
- Release TLSAcceptor HOT 2
- example of client with mutual tls HOT 3
- When used with a specified request the body is not decrypted HOT 2
- Getting ip address of connection HOT 1
- Creating an HTTPS connection using `HttpsConnectorBuilder` does not allow you to obtain the website's URL. HOT 1
- Hyper v1 compatibility HOT 12
- Release with rustls 0.22 support? HOT 5
- Release 0.25.0 without hyper 1 support? HOT 1
- Prepare v0.25 release, update to Rustls v0.22 HOT 5
- Prepare v0.26 release, update to Hyper 1.0 HOT 8
- v0.26 server example error: failed to serve connection: error shutting down connection HOT 2
- Add support for providing HttpConnector HOT 3
- Rust minimum version should be updated HOT 4
- 0.23.2 of rusttls HOT 3
- Expose feature flag to enable FIPS compliant build of AWS-LC. HOT 1
- Latest version (0.27.1) fails to build for `docs.rs` HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from hyper-rustls.