Looks like rustls doesn't support Letsencrypt wildcard certs

Question

Looks like rustls doesn't support Letsencrypt wildcard certs

Slach opened this issue 6 months ago · 4 comments

Latest build doesn;t work
0.6.1 works fine

Step to reproduce

curl -o /tmp/chdig-latest_amd64.deb -L https://github.com/azat/chdig/releases/download/latest/chdig-latest_amd64.deb
sudo dpkg -i /tmp/chdig-latest_amd64.deb

RUST_BACKTRACE=1 chdig --url="tcp://demo:demo@github.demo.altinity.cloud:9440/?secure=true"

return

Error: Cannot connect to ClickHouse at tcp://demo@github.demo.altinity.cloud:9440/?secure=true (Connections error: `Input/output error: `invalid peer certificate: UnknownIssuer``)

without stacktrace ;(

i tried to search UnknownIssuer in rustls repo
first found rustls/rustls#841 (comment)
but our certs contains SAN

openssl s_client -connect github.demo.altinity.cloud:9440 | openssl x509 -noout -text | grep DNS

depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = *.demo.altinity.cloud
verify return:1

DNS:*.demo.altinity.cloud, DNS:*.internal.demo.altinity.cloud

           Authority Information Access:
                OCSP - URI:http://r3.o.lencr.org
                CA Issuers - URI:http://r3.i.lencr.org/
            X509v3 Subject Alternative Name:
                DNS:*.demo.altinity.cloud, DNS:*.internal.demo.altinity.cloud

Answer 1 · 2024-01-15T10:55:19.000Z

First of all thank you for the demo host!

without stacktrace ;(

I do have stacktrace, maybe the problem is windows + crossterm backend

i tried to search UnknownIssuer in rustls repo

This error should be a sign of invalid issuer, so it does not know some root cert in the chain

but our certs contains SAN

Subject Alternative Name supported by rustls, as well as wildcards.

For now unsafe workaround is to add skip_verify=true into --url, in the mean time I will take a look how to fix it properly.

Answer 2 · 2024-01-15T12:43:07.000Z

I do have stacktrace, maybe the problem is windows + crossterm backend

No, i got error under Ubuntu linux, install from chdig-latest_amd64.deb

Answer 3 · 2024-01-15T12:44:03.000Z

This error should be a sign of invalid issuer, so it does not know some root cert in the chain

But 0.6.1 works good. Or in 0.6.1 skip_verify=true by default?

Answer 4 · 2024-01-23T07:24:51.000Z

Or in 0.6.1 skip_verify=true by default?

No, 0.6.1 does not have rustls.
Anyway the problem had been fixed in #41.