Closed davidMcneil closed 4 years ago
That code is only parsing the first certificate out of the ca-certificates.crt file. Is www.rust-lang.org's root the first entry in that file?
Aha! That explains it. Thank you! ... For those interested the working code that uses the pem
crate can be found below. Would you be interested in a PR that adds the ability to make a Vec
of Certificate
s from a buffer? I would essentially copy the functionality from rustls
here.
Thanks again! I really apreciate your time.
use reqwest::{blocking::ClientBuilder, Certificate};
fn main() -> Result<(), Box<dyn std::error::Error>> {
let mut client = ClientBuilder::new();
let certs = "/usr/lib/ssl/certs/ca-certificates.crt";
let certs = std::fs::read(certs)?;
let certs = pem::parse_many(certs);
for cert in certs.iter() {
let cert = Certificate::from_der(&cert.contents)?;
client = client.add_root_certificate(cert);
}
let client = client.build()?;
println!("SSL_CERT_FILE {:?}", std::env::var("SSL_CERT_FILE"));
println!("SSL_CERT_DIR {:?}", std::env::var("SSL_CERT_DIR"));
let url = "https://www.rust-lang.org/";
let response = client.get(url).send()?;
println!("Status {}", response.status());
Ok(())
}
Looks like someone beat me to it in #168.
add_root_certificate
does not seem to add a certificate whenSSL_CERT_FILE
is not set or points to an invalid path. Consider the example program below usingreqwest
.This works fine when running
cargo run
. However, runningenv SSL_CERT_FILE=/a/bad/path cargo run
produces the errorunable to get local issuer certificate
. Switching to userustls
instead of thenative-tls
backend works.This is obviously a very contrived example, but this situation does arise when vendoring openssl with the
vendored
feature and running on a system withoutopenssl
installed. In this case,openssl-probe
is unable to set theSSL_CERT_FILE
env var leading to the same behavior as when it is set to an invalid path.