Corporate Proxy results in BadCertificate Alert

twihno commented 1 year ago

Describe the bug

A corporate proxy with its own HTTPS certificate results in the error/alert Sending fatal alert BadCertificate in the command line. The proxy cert is signed by the corporate CA with the root certificate imported into the OS cert store.

(Somewhat related to denoland/deno#11491)

Steps to Reproduce

start.sh

#!/bin/bash

export DENO_TLS_CA_STORE=system,mozilla

deno run -Ldebug \
  --allow-env \
  --allow-net \
  ./test.ts

test.ts

import { serve } from "https://deno.land/std@0.167.0/http/server.ts";

function handler(req: Request): Response {
  return new Response("Hello, World!");
}

serve(handler);

Output

$ ./start.sh 
DEBUG RS - deno::js:31 - Deno isolate init with snapshots.
DEBUG JS - args []
DEBUG RS - deno::worker:64 - main_module file:///<path>/test.ts
DEBUG RS - deno::proc_state:294 - Preparing module load.
DEBUG RS - deno::cache::parsed_source:146 - Loading cached module analyzer.
DEBUG RS - deno::proc_state:378 - Creating module graph.
DEBUG RS - deno::file_fetcher:538 - FileFetcher::fetch() - specifier: file://<path>/test.ts
DEBUG RS - deno_runtime::permissions:52 - ⚠️️  Granted read access to "<path>/test.ts"
DEBUG RS - deno::file_fetcher:538 - FileFetcher::fetch() - specifier: https://deno.land/std@0.167.0/http/server.ts
DEBUG RS - deno_runtime::permissions:52 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:404 - FileFetcher::fetch_remote() - specifier: https://deno.land/std@0.167.0/http/server.ts
DEBUG RS - deno_runtime::permissions:52 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:250 - FileFetcher::fetch_cached - specifier: https://deno.land/std@0.167.0/http/server.ts
DEBUG RS - deno::file_fetcher:538 - FileFetcher::fetch() - specifier: https://deno.land/std@0.167.0/async/mod.ts
DEBUG RS - deno_runtime::permissions:52 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:404 - FileFetcher::fetch_remote() - specifier: https://deno.land/std@0.167.0/async/mod.ts
DEBUG RS - deno_runtime::permissions:52 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:250 - FileFetcher::fetch_cached - specifier: https://deno.land/std@0.167.0/async/mod.ts
DEBUG RS - deno::file_fetcher:538 - FileFetcher::fetch() - specifier: https://deno.land/std@0.167.0/async/abortable.ts
DEBUG RS - deno_runtime::permissions:52 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:404 - FileFetcher::fetch_remote() - specifier: https://deno.land/std@0.167.0/async/abortable.ts
DEBUG RS - deno_runtime::permissions:52 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:250 - FileFetcher::fetch_cached - specifier: https://deno.land/std@0.167.0/async/abortable.ts
DEBUG RS - deno::file_fetcher:538 - FileFetcher::fetch() - specifier: https://deno.land/std@0.167.0/async/deadline.ts
DEBUG RS - deno_runtime::permissions:52 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:404 - FileFetcher::fetch_remote() - specifier: https://deno.land/std@0.167.0/async/deadline.ts
DEBUG RS - deno_runtime::permissions:52 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:250 - FileFetcher::fetch_cached - specifier: https://deno.land/std@0.167.0/async/deadline.ts
DEBUG RS - deno::file_fetcher:538 - FileFetcher::fetch() - specifier: https://deno.land/std@0.167.0/async/debounce.ts
DEBUG RS - deno_runtime::permissions:52 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:404 - FileFetcher::fetch_remote() - specifier: https://deno.land/std@0.167.0/async/debounce.ts
DEBUG RS - deno_runtime::permissions:52 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:250 - FileFetcher::fetch_cached - specifier: https://deno.land/std@0.167.0/async/debounce.ts
DEBUG RS - deno::file_fetcher:538 - FileFetcher::fetch() - specifier: https://deno.land/std@0.167.0/async/deferred.ts
DEBUG RS - deno_runtime::permissions:52 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:404 - FileFetcher::fetch_remote() - specifier: https://deno.land/std@0.167.0/async/deferred.ts
DEBUG RS - deno_runtime::permissions:52 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:250 - FileFetcher::fetch_cached - specifier: https://deno.land/std@0.167.0/async/deferred.ts
DEBUG RS - deno::file_fetcher:538 - FileFetcher::fetch() - specifier: https://deno.land/std@0.167.0/async/delay.ts
DEBUG RS - deno_runtime::permissions:52 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:404 - FileFetcher::fetch_remote() - specifier: https://deno.land/std@0.167.0/async/delay.ts
DEBUG RS - deno_runtime::permissions:52 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:250 - FileFetcher::fetch_cached - specifier: https://deno.land/std@0.167.0/async/delay.ts
DEBUG RS - deno::file_fetcher:538 - FileFetcher::fetch() - specifier: https://deno.land/std@0.167.0/async/mux_async_iterator.ts
DEBUG RS - deno_runtime::permissions:52 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:404 - FileFetcher::fetch_remote() - specifier: https://deno.land/std@0.167.0/async/mux_async_iterator.ts
DEBUG RS - deno_runtime::permissions:52 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:250 - FileFetcher::fetch_cached - specifier: https://deno.land/std@0.167.0/async/mux_async_iterator.ts
DEBUG RS - deno::file_fetcher:538 - FileFetcher::fetch() - specifier: https://deno.land/std@0.167.0/async/pool.ts
DEBUG RS - deno_runtime::permissions:52 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:404 - FileFetcher::fetch_remote() - specifier: https://deno.land/std@0.167.0/async/pool.ts
DEBUG RS - deno_runtime::permissions:52 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:250 - FileFetcher::fetch_cached - specifier: https://deno.land/std@0.167.0/async/pool.ts
DEBUG RS - deno::file_fetcher:538 - FileFetcher::fetch() - specifier: https://deno.land/std@0.167.0/async/retry.ts
DEBUG RS - deno_runtime::permissions:52 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:404 - FileFetcher::fetch_remote() - specifier: https://deno.land/std@0.167.0/async/retry.ts
DEBUG RS - deno_runtime::permissions:52 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:250 - FileFetcher::fetch_cached - specifier: https://deno.land/std@0.167.0/async/retry.ts
DEBUG RS - deno::file_fetcher:538 - FileFetcher::fetch() - specifier: https://deno.land/std@0.167.0/async/tee.ts
DEBUG RS - deno_runtime::permissions:52 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:404 - FileFetcher::fetch_remote() - specifier: https://deno.land/std@0.167.0/async/tee.ts
DEBUG RS - deno_runtime::permissions:52 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:250 - FileFetcher::fetch_cached - specifier: https://deno.land/std@0.167.0/async/tee.ts
DEBUG RS - deno::proc_state:470 - Prepared module load.
DEBUG RS - deno_runtime::permissions:52 - ⚠️️  Granted net access to "0.0.0.0:8000"
Listening on http://localhost:8000/
DEBUG RS - deno_runtime::worker:320 - received module evaluate Ok(
    Ok(
        (),
    ),
)
DEBUG RS - reqwest::connect:560 - starting new connection: https://dl.deno.land/
DEBUG RS - rustls::client::hs:56 - No cached session for DnsName(DnsName(DnsName("dl.deno.land")))
DEBUG RS - rustls::client::hs:128 - Not resuming any session
DEBUG RS - rustls::client::hs:453 - ALPN protocol is None
DEBUG RS - rustls::client::hs:584 - Using ciphersuite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
DEBUG RS - rustls::client::tls12::server_hello:82 - Server supports tickets
DEBUG RS - rustls::client::tls12:418 - ECDHE curve is ECParameters { curve_type: NamedCurve, named_group: X25519 }
DEBUG RS - rustls::client::tls12:709 - Server DNS name is DnsName(DnsName(DnsName("dl.deno.land")))
Sending fatal alert BadCertificate

Expected behavior

No error message

Additional Question Why does Deno try to connect to https://dl.deno.land?

Environment

OS: Ubuntu 22.04.1 WSL
deno version: 1.28.3
std version: 0.167.0

lino-levan commented 1 year ago

@kt3k do you think this one is still valid? My feeling is that it's probably stale.

kt3k commented 1 year ago

I think this is a Deno CLI issue and still valid.

Why does Deno try to connect to https://dl.deno.land/?

The upgrade checker checks https://dl.deno.land/release-latest.txt to see if there's a new release https://github.com/denoland/deno/blob/bb4b00df929a84d0302659700b97160f0fdbab78/cli/tools/upgrade.rs#L451

lino-levan commented 1 year ago

Thanks for the clarification.

iuioiua commented 11 months ago

@twihno, does this issue still happen when you use Deno.serve()?

twihno commented 9 months ago

Sorry for the late reply. It seems to be resolved. I don't get the error anymore and Deno behaves as expected (with the system cerstore env-variable set).

The log of the example with the current deno and std version (note: I just copied the example from this issue and removed the explicit std version to get the current one because I was too lazy to look up the correct version. Therefore there is a warning for the implicit std version):

DEBUG RS - deno::args::package_json:151 - No package.json file found
DEBUG RS - deno::cache::cache_db:130 - Opening cache /home/schuthom/.cache/deno/dep_analysis_cache_v1...
DEBUG RS - deno::cache::cache_db:130 - Opening cache /home/schuthom/.cache/deno/node_analysis_cache_v1...
DEBUG RS - deno::js:11 - Deno isolate init with snapshots.
DEBUG RS - deno::worker:156 - main_module file:///home/schuthom/teest/test.ts
DEBUG RS - deno::module_loader:124 - Preparing module load.
DEBUG RS - deno::module_loader:145 - Creating module graph.
DEBUG RS - deno::file_fetcher:550 - FileFetcher::fetch() - specifier: file:///home/schuthom/teest/test.ts
DEBUG RS - deno_runtime::permissions:86 - ⚠️️  Granted read access to "/home/schuthom/teest/test.ts"
DEBUG RS - deno::file_fetcher:550 - FileFetcher::fetch() - specifier: https://deno.land/std/http/server.ts
DEBUG RS - deno_runtime::permissions:86 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:344 - FileFetcher::fetch_remote() - specifier: https://deno.land/std/http/server.ts
DEBUG RS - deno_runtime::permissions:86 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:254 - FileFetcher::fetch_cached - specifier: https://deno.land/std/http/server.ts
DEBUG RS - reqwest::connect:429 - starting new connection: https://deno.land/
DEBUG RS - reqwest::async_impl::client:2396 - redirect policy disallowed redirection to 'https://deno.land/std@0.212.0/http/server.ts'
Warning Implicitly using latest version (0.212.0) for https://deno.land/std/http/server.ts
DEBUG RS - deno::http_util:59 - Redirecting to "/std@0.212.0/http/server.ts"...
DEBUG RS - deno::file_fetcher:344 - FileFetcher::fetch_remote() - specifier: https://deno.land/std@0.212.0/http/server.ts
DEBUG RS - deno_runtime::permissions:86 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:254 - FileFetcher::fetch_cached - specifier: https://deno.land/std@0.212.0/http/server.ts
DEBUG RS - deno::file_fetcher:550 - FileFetcher::fetch() - specifier: https://deno.land/std@0.212.0/async/delay.ts
DEBUG RS - deno_runtime::permissions:86 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:344 - FileFetcher::fetch_remote() - specifier: https://deno.land/std@0.212.0/async/delay.ts
DEBUG RS - deno_runtime::permissions:86 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:254 - FileFetcher::fetch_cached - specifier: https://deno.land/std@0.212.0/async/delay.ts
DEBUG RS - deno::npm::managed::resolution:314 - Snapshot already up to date. Skipping pending resolution.
DEBUG RS - deno::module_loader:217 - Prepared module load.
DEBUG RS - deno_runtime::permissions:86 - ⚠️️  Granted net access to "0.0.0.0:8000"
Listening on http://localhost:8000/
DEBUG RS - deno_runtime::worker:587 - received module evaluate Ok(
    (),
)

denoland / deno

Corporate Proxy results in BadCertificate Alert #20668