Request to add additional root certificates

Question

Request to add additional root certificates

3BK opened this issue 2 years ago · 9 comments

    .add_root_certificate(cert)

Please advise if you would like me to supply the change.

Answer 1 · 2023-03-01T19:09:57.000Z

Not adding additional root certificates breaks the app.
Adding additional root certificates to OS breaks the compiler .

Answer 2 · 2023-03-02T07:08:05.000Z

I'm curious what is the motivation for this?

Answer 3 · 2023-03-02T13:13:50.000Z

The motivation is to avoid breaking the rust compiler and your influxdb2 client.

Elaboration:

Those new to influxdb2 may install influxdb2 OSS locally.
- At present, by design:
  - IF/WHEN a self-signed CA has been added to the target: rust appears to emit an error and refuse to compile
- At present, by design, your client:
  - will not connect to the server, unless it trusts the server's CA
  - will not accept addtional trusted root certificates to establish trust,
  - meaning:
  - If/WHEN the server's CA is self-signed, the CA needs to be installed on the target - breaking the compiler
  - meaning:
  - we have a conundrum
- it is my recommendation that we resolve the conundrum as follows:
  - add the ability to allow the client to accept additional certificates so that your client can increase it's "marketshare"

Answer 4 · 2023-03-02T14:22:53.000Z

Anyone else having the same issue? I've never experienced this issue even when installing influxdb2 locally or using Docker.

When using Docker sometimes it shows the problem of not having the correct certificate but it can be solved by installing the SSL package.

Answer 5 · 2023-03-02T14:29:20.000Z

Since installing a CA certificate is at the network level can't it be handled at the network level? Like by passing in the connection factory that first download the ca certificate.

Anyway this is suspect since I don't believe it should be handled at the library level since CA certificate should be handled at the network level. Pull request is welcome but no guarantee I'll accept it.

Answer 6 · 2023-03-02T17:27:13.000Z

I have attached the proposed change above.

Answer 7 · 2023-03-02T18:57:22.000Z

Yeah looking at the code, I believe this shouldn't be part of the Influxdb2 library because user is able to achieve the same thing by just instantiating a reqwest::Client and creating an influxdb2::Client manually.

Answer 8 · 2023-03-02T19:02:21.000Z

Can you please elaborate?

Answer 9 · 2023-03-02T19:03:18.000Z

It sounds like you are saying fork the code base.