Looks like rustls doesn't support Letsencrypt wildcard certs
Slach opened this issue · 4 comments
Latest build doesn;t work
0.6.1 works fine
Step to reproduce
curl -o /tmp/chdig-latest_amd64.deb -L https://github.com/azat/chdig/releases/download/latest/chdig-latest_amd64.deb
sudo dpkg -i /tmp/chdig-latest_amd64.deb
RUST_BACKTRACE=1 chdig --url="tcp://demo:demo@github.demo.altinity.cloud:9440/?secure=true"
return
Error: Cannot connect to ClickHouse at tcp://demo@github.demo.altinity.cloud:9440/?secure=true (Connections error: `Input/output error: `invalid peer certificate: UnknownIssuer``)
without stacktrace ;(
i tried to search UnknownIssuer in rustls repo
first found rustls/rustls#841 (comment)
but our certs contains SAN
openssl s_client -connect github.demo.altinity.cloud:9440 | openssl x509 -noout -text | grep DNS
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = *.demo.altinity.cloud
verify return:1
DNS:*.demo.altinity.cloud, DNS:*.internal.demo.altinity.cloud
Authority Information Access:
OCSP - URI:http://r3.o.lencr.org
CA Issuers - URI:http://r3.i.lencr.org/
X509v3 Subject Alternative Name:
DNS:*.demo.altinity.cloud, DNS:*.internal.demo.altinity.cloud
First of all thank you for the demo host!
without stacktrace ;(
I do have stacktrace, maybe the problem is windows + crossterm backend
i tried to search UnknownIssuer in rustls repo
This error should be a sign of invalid issuer, so it does not know some root cert in the chain
but our certs contains SAN
Subject Alternative Name supported by rustls, as well as wildcards.
For now unsafe workaround is to add skip_verify=true
into --url
, in the mean time I will take a look how to fix it properly.
I do have stacktrace, maybe the problem is windows + crossterm backend
No, i got error under Ubuntu linux, install from chdig-latest_amd64.deb
This error should be a sign of invalid issuer, so it does not know some root cert in the chain
But 0.6.1 works good. Or in 0.6.1 skip_verify=true by default?