panics "no CA certificates found" about hyper-rustls HOT 13 CLOSED

Hi!

@doums Can you provide more information on your configuration so that we can file an issue with rustls-native-certs?

Sorry for the response delay. Since our code has changed a lot, and, I don't remember how though, but finally managed to fix/work around the issue.

from hyper-rustls.

How did you build a configuration? If you used with_native_roots(), this issue report probably makes more sense in the rustls-native-certs repo (I can move it for you if you like). The Unix implementation for that lives in https://github.com/rustls/rustls-native-certs/blob/main/src/unix.rs and depends on the openssl_probe crate. A workaround might be to use with_webpki_roots() instead, which basically bakes the certificates into your Rust binary at compile time.

from hyper-rustls.

@doums Can you provide more information on your configuration so that we can file an issue with rustls-native-certs?

from hyper-rustls.

hola, mi amigos; I ran into a similar issue and am using with_native_roots()--hopefully that's helpful

from hyper-rustls.

Hi @aaronArinder, thanks for commenting.

Can you share more detail? For example, what platform are you running on and which versions of the relevant crates are in play. It would also be helpful if you have a backtrace or a code snippet that reproduces.

from hyper-rustls.

Hello, I ran into similar isssue

panicked at 'no CA certificates found', /usr/local/cargo/registry/src/index.crates.io-6f17d22bba15001f/hyper-rustls-0.23.2/src/config.rs:48:9

from hyper-rustls.

please post:

• the log output up until that point
• details of your environment: operating system version, etc.
  • if linux, please include the version of the ca-certificates package or your distributions equivalent of that.

from hyper-rustls.

https://github.com/rustls/hyper-rustls/blob/main/src/config.rs#L48 is an assertion which happens if there's no certs locally installed. IMO, this method should return a Result with an error on this case (or an Option, which is None if no certs are locally installed).

Checking if certs are locally installed prior to executing this function would require rewriting most of it.

from hyper-rustls.

I want to challenge for a bit that this shouldn't panic. In your particular use case, how are you going to handle an error from this API?

from hyper-rustls.

Falling back to with_webpki_roots as my use-case doesn't require explicit use of the system roots. I just solely have a preference for them.

Using with_webpki_roots now wouldn't be safe for all use-cases though as some users may explicitly only want to trust the system roots, or may want to work on systems with custom CAs installed.

If with_native_roots is going to panic, I will have to re-implement a check if the system has native roots available to fix the fact this safe function panics on an OS resource which may not exist on a variety of configurations not existing. To do so would require rewriting most of this function, and in order to be safe, would require the documentation of this function to document it panics on this case and only on this case.

from hyper-rustls.

Falling back to with_webpki_roots as my use-case doesn't require explicit use of the system roots. I just solely have a preference for them.

Using with_webpki_roots now wouldn't be safe for all use-cases though as some users may explicitly only want to trust the system roots, or may want to work on systems with custom CAs installed.

If with_native_roots is going to panic, I will have to re-implement a check if the system has native roots available to fix the fact this safe function panics on an OS resource which may not exist on a variety of configurations not existing. To do so would require rewriting most of this function, and in order to be safe, would require the documentation of this function to document it panics on this case and only on this case.

If you want a similar effect, you can use the following code

fn https_config() -> HttpsConnector<HttpConnector> {
    #[cfg(feature = "webpki-roots")]
    {
        return hyper_rustls::HttpsConnectorBuilder::new()
            .with_webpki_roots()
            .https_only()
            .enable_http1()
            .enable_http2()
            .build();
    }
    #[cfg(not(feature = "webpki-roots"))]
    {
        return hyper_rustls::HttpsConnectorBuilder::new()
            .with_native_roots()
            .https_only()
            .enable_http1()
            .enable_http2()
            .build();
    }
}

from hyper-rustls.

That still panics if the system roots are attempted yet there aren't system roots on the system. That isn't actually falling back at runtime, which is the above discussed flow.

from hyper-rustls.

I was getting the same error as well. Tossed the line below into my Debian based Dockerfile and it fixed the issue:

# Update certificate store
RUN apt-get update && apt-get install -y ca-certificates && update-ca-certificates

from hyper-rustls.