Can't use a self-signed certificate without using danger_accept_invalid_certs

[mrcz]

I'm trying to POST to an external http server which uses a self signed certificate. I have put this certificate in a PEM file that I read using Certificate::from_pem and pass to Client::builder(). This worked on macOS using native TLS, but after I switched to rustls-tls I need to also call (on both macOS and Linux):

Client::builder()
    // ...
    .add_root_certificate(config.server_certificate)
    .danger_accept_invalid_certs(true)      // <- required with rustls-tls
    .use_rustls_tls();                      // <- required with rustls-tls

Why is this? I don't want to accept invalid certificates, just trust the provided server certificate. (There is no chain of certificates, just one)

The error I get is:

source: hyper::Error(Connect, Custom { kind: Other, error: Custom { kind: InvalidData, error: InvalidCertificateData("invalid peer certificate: UnknownIssuer") } })

[seanmonstar]

I don't know what the exact reason is, but sounds like something to file with the rustls repo.

[agu3rra]

I am facing the exact same issue @mrcz. Did you figure out how to fix it? If so, can you share your solution here?

[mrcz]

No sorry, I did not solve it.

[gliderkite]

I was having a similar issue where when using cURL to query the server everything was working as expected, but I was getting the error InvalidCertificateData("invalid peer certificate: UnknownIssuer") with

reqwest = { version = "0.11", default-features = false, features = ["rustls-tls"] }

unless I created the client by setting .danger_accept_invalid_certs(true).

I solved it by changing the feature to rustls-tls-native-roots.

[git-noise]

Hello,
@agu3rra @mrcz

Not too sure if it helps, but on my end I have no issue in using something like the following:

ClientBuilder::new()
  .add_root_certificate(server_certificate)
  .use_rustls_tls()
  .min_tls_version(Version::TLS_1_3)
  .build()

I do not think that using danger_accept_invalid_certs() is necessary.

[mrcz]

Thanks for helping out, however I tried again now, and I still get error: InvalidCertificate(UnknownIssuer) unless I use danger_accept_invalid_certs(). So server_certificate is self signed in your case and it still works?

[git-noise]

Oh wait, I re-read your initial issue more carefully. In my case it is not a self-signed certificate, it is a certificate signed by a self-signed chain, and I pass the chain. Sorry for the noise, it probably won't solve anything for you unless you have at least one level of signature so to speak. my code snippet should read more like:

ClientBuilder::new()
  .add_root_certificate(chain_certificate)
  .use_rustls_tls()
  .min_tls_version(Version::TLS_1_3)
  .build()

[jregistr]

FWIW, I also got this error

error trying to connect: invalid peer certificate: UnknownIssuer

but I got this while running my code in a container on google cloud run. Installing ca-certificates in my container fixed it

RUN apt-get update && apt-get install -y ca-certificates

[yanns]

I have the same issue.
Using the CA cert with curl works:

curl -s --cacert ../../certs/ca/ca.crt https://localhost:9205
{
  "name" : "604c12e703ea",
  "cluster_name" : "pim-search",
  "cluster_uuid" : "70ESRV2DTgeOsl_rqTlfNQ",
  "version" : {
    "number" : "8.5.1",
    "build_flavor" : "default",
    "build_type" : "docker",
    "build_hash" : "c1310c45fc534583afe2c1c03046491efba2bba2",
    "build_date" : "2022-11-09T21:02:20.169855900Z",
    "build_snapshot" : false,
    "lucene_version" : "9.4.1",
    "minimum_wire_compatibility_version" : "7.17.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "You Know, for Search"
}

Using it from scala works:

                val trustManager = PemUtils.loadCertificate(certFiles: _*)

                val sslFactory = SSLFactory.builder
                  .withDefaultTrustMaterial()
                  .withTrustMaterial(trustManager)
                  .build

                val clientContext = SslContextBuilder
                  .forClient()
                  .trustManager(sslFactory.getTrustManager.get())
                  .build()

But I cannot get it work with reqwest.
I've tried different options (tls_built_in_root_certs: yes/no), trying rustls-tls-native-roots...

Here is the details of the certificate:

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
1f:77:2b:12:62:81:76:48:a4:17:8d:d8:c0:47:6d:a8:8b:c5:78:55
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = Elastic Certificate Tool Autogenerated CA
Validity
Not Before: Feb  8 10:32:40 2024 GMT
Not After : Feb  7 10:32:40 2027 GMT
Subject: CN = Elastic Certificate Tool Autogenerated CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:fb:56:85:06:f5:3b:c0:66:7d:d9:a0:1e:c8:2f:
90:4b:db:84:18:3b:1f:ba:6a:29:a3:d4:e3:b4:d5:
d7:d9:2f:ac:45:1f:91:fc:db:81:7e:d6:43:61:0c:
ec:3e:84:be:be:d5:80:79:78:af:c2:93:01:f3:fd:
5a:bb:96:24:c4:60:65:08:49:a0:1f:34:a9:0e:cf:
86:a3:fb:ec:f0:8b:24:ab:3d:26:c7:ed:d3:de:9c:
be:b4:2a:3d:a4:c8:5e:d3:80:7b:07:84:b9:a2:f3:
d8:9e:30:31:d3:5a:8a:cd:3d:44:1f:d7:0e:95:1f:
87:d6:ac:ed:7f:66:89:68:4d:24:8c:fe:c6:b5:36:
7a:e8:23:7c:3e:1c:53:3c:2f:a9:39:80:43:ed:f6:
3a:7e:4d:4c:66:64:d6:fc:ff:8f:c7:d7:50:7e:89:
24:0e:46:7e:df:5f:33:38:44:34:b3:d5:cf:60:a4:
53:6c:5a:8d:ed:f5:98:f6:78:55:52:2c:bc:34:6d:
2c:b4:bc:23:c2:6a:f9:54:c7:88:9f:0b:cf:c7:8f:
64:63:a5:87:31:97:fb:cc:8f:2a:08:d4:30:59:46:
66:62:0e:b3:82:a4:df:84:e2:67:c0:3c:09:5b:52:
6e:c6:98:c4:e0:a3:04:3d:94:ee:72:00:2a:90:99:
8d:ff
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
D8:E4:FE:F0:46:6F:80:0F:39:38:AC:1B:66:F6:FC:5B:88:D1:C4:00
X509v3 Authority Key Identifier:
D8:E4:FE:F0:46:6F:80:0F:39:38:AC:1B:66:F6:FC:5B:88:D1:C4:00
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
43:46:3f:eb:34:98:79:78:20:c0:bb:4c:c0:25:99:04:f7:e4:
0a:ea:ea:e1:ac:3b:ff:ee:cb:11:e1:d7:25:ec:f5:8d:6b:b0:
19:39:da:40:b8:cd:1a:fd:fe:a7:96:c9:c5:e2:12:45:17:5c:
ce:52:72:1b:2c:12:ef:fc:1f:8c:dc:da:bc:94:eb:c4:69:55:
9c:c4:d9:93:96:6e:3f:4d:f7:b4:d9:28:c2:3c:13:f3:90:85:
f2:2c:fa:b9:21:e9:d0:bd:d4:3f:bf:68:c2:5b:4e:3b:17:c2:
0f:65:11:47:4c:95:98:27:71:e2:fc:5e:22:7e:a8:2a:3e:53:
02:71:ed:86:d5:f6:44:4c:46:50:84:95:1b:9d:16:f8:0e:1e:
a1:34:1c:09:80:c5:53:b3:69:ae:ff:20:4e:39:eb:d6:80:e0:
e9:ed:fb:00:82:e8:47:e3:6f:ec:b5:17:c0:72:1b:98:4b:6a:
47:26:0d:02:9e:49:fb:ac:00:e9:f3:48:c4:28:e0:6b:a0:52:
e9:49:c3:79:5d:9f:2e:f9:f5:b9:be:5e:31:7b:d2:6d:e8:ed:
9f:cc:35:9a:50:a5:56:76:c2:53:60:0f:ec:7e:04:5e:ea:19:
50:c3:74:c6:39:2d:76:22:aa:4a:70:f9:e5:62:4d:79:78:56:
4f:37:de:f9

If someone has an idea. I'd rather not using danger_accept_invalid_certs.

[timzaak]

When I used the self-signed certificate created by Rancher script, all things is ok.

ClientBuilder::new()
.use_rustls_tls()
.add_root_certificate(get_root_cert(get_test_dir().join("pebble/certs/pebble.minica.pem")))
.add_root_certificate(get_root_cert(get_test_dir().join("cert/cacerts.pem")))
.build()

When I use Let's Encrypt Pebble to create certificate, it would have problems: (InvalidCertificate(UnknownIssuer))
the CA is: pebble.minica.pem and I tested it with openSSL, nothing wrong.

openssl s_client -showcerts -CAfile ./pebble.minica.pem -servername local.fornetcode.com -connect local.fornetcode.com:8443

What'more, I use ureq to get Pebble certifacate with CA file pebble.minica.pem, and it's ok. the code is here

The fail CI job is here: https://github.com/ForNetCode/spa-server/actions/runs/9725549520/job/26843000105