Failed to build HTTP client, could not load PEM file

[mattmess1221]

All commands that connect to the internet are failing when trying to load the local CAFILE. I do have some private certs installed, so it may be related.

Command: uv venv --seed
Platform: Debian 10
UV Version: 0.1.5
ca-certificates.crt

The cafile loaded fine in uv 0.1.2, so this is a regression.

Error output:

$ uv --version
uv 0.1.5
$ RUST_BACKTRACE=full uv venv --seed 
Using Python 3.11.0 interpreter at /usr/software/pkgs/Python-3.11.0/bin/python3.11
Creating virtualenv at: .venv
thread 'main' panicked at crates/uv-client/src/registry_client.rs:87:33:
Failed to build HTTP client.: reqwest::Error { kind: Builder, source: Custom { kind: InvalidData, error: "Could not load PEM file \"/usr/lib/ssl/certs/ca-certificates.crt\": Invalid byte 32, offset 0." } }
stack backtrace:
   0:     0x55ed8874602c - <unknown>
   1:     0x55ed88779150 - <unknown>
   2:     0x55ed88741f4f - <unknown>
   3:     0x55ed88745e14 - <unknown>
   4:     0x55ed88747c77 - <unknown>
   5:     0x55ed887479df - <unknown>
   6:     0x55ed887480f8 - <unknown>
   7:     0x55ed88747fde - <unknown>
   8:     0x55ed887464f6 - <unknown>
   9:     0x55ed88747d42 - <unknown>
  10:     0x55ed87792cf5 - <unknown>
  11:     0x55ed87793233 - <unknown>
  12:     0x55ed87e42a26 - <unknown>
  13:     0x55ed87af85ec - <unknown>
  14:     0x55ed87afda1d - <unknown>
  15:     0x55ed87adac96 - <unknown>
  16:     0x55ed879e7776 - <unknown>
  17:     0x55ed87b23831 - <unknown>
  18:     0x55ed878436e3 - <unknown>
  19:     0x55ed87ac5499 - <unknown>
  20:     0x55ed88737937 - <unknown>
  21:     0x55ed87ac548e - <unknown>
  22:     0x7f20f290ad0a - __libc_start_main
  23:     0x55ed87793549 - <unknown>
  24:                0x0 - <unknown>

[mattmess1221]

Likely introduced by #1512

[zanieb]

Presumably the certificate was not being loaded at all prior to #1512, is it a valid certificate? This might be an upstream bug.

I wonder if we can fallback to using bundled certificates if we fail to load the system store like this, cc @BurntSushi

[mattmess1221]

curl/openssl is able to load it fine, so I would assume so.

[zanieb]

I'm not sure what to do about this, unfortunately. You may need to open this as an issue upstream or do some more debugging yourself. We're not in control of certificate validation.

[mattmess1221]

I figured out the issue was caused by there being indentation in the pem file (for some reason). I've created an issue upstream at rustls/pemfile#40

[zanieb]

Thank you!

[mattmess1221]

The bug was fixed in rustls-pemfile v2.1.1, however reqwest is still using v1.0.

Likely blocked by seanmonstar/reqwest#2136

[zanieb]

Thank you for checking back in @killjoy1221!

We're on rustls-pemfile v2.1.2 now.