elastic/elasticsearch-rs

[BUG] ca chain doesn't seen to work

Stargateur opened this issue · 1 comments

Stargateur commented

I follow this to the LETTER https://jamielinux.com/docs/openssl-certificate-authority/introduction.html. I create my root certificate, my intermediate one, and my final one. All work, I have my postgresql server that launch correctly, I can connect to it with pgadmin 4 with verify-full using the full chain root certificate ca-chain.cert.pem (and I can't without the file) so it's work but:

pub async fn new() -> Result<DB> {
    let cert = native_tls::Certificate::from_pem(
        &utils::read(&OPTIONS.postgrepsql.certificate).context(Io)?,
    )
    .context(Tls)?;

    let tls = MakeTlsConnector::new(
        TlsConnector::builder()
            .add_root_certificate(cert)
            .build()
            .context(Tls)?,
    );

    let config = tokio_postgres::Config::from_str(&format!(
        "{} sslmode=require",
        OPTIONS.postgrepsql.config()
    ))
    .context(PostgreSQL)?;

    let manager = Manager::new(config, tls);

    let pool = Pool::from_config(manager, PoolConfig::default());

    Ok(DB { pool })
}

pub fn config(&self) -> String {
    format!(
        "host={} port={} user={} password={}",
        self.host,
        self.port,
        self.user,
        self.password.expose_secret()
    )
}

Doesn't work, linux:

Jul 16 17:10:36.600 DEBUG optomata::internal_server_error: Pool { source: Backend(Error { kind: Tls, cause: Some(Ssl(Error { code: ErrorCode(1), cause: Some(Ssl(ErrorStack([Error { code: 337047686, library: "SSL routines", function: "tls_process_server_certificate", reason: "certificate verify failed", file: "ssl/statem/statem_clnt.c", line: 1913 }]))) }, X509VerifyResult { code: 2, error: "unable to get issuer certificate" })) }) }

windows error:

Jul 16 18:56:20.468 DEBUG optomata::internal_server_error: Pool { source: Backend(Error { kind: Tls, cause: Some(Os { code: -2146762487, kind: Other, message: "Une chaîne de certificats a été traitée mais s’est terminée par un certificat racine qui n’est pas approuvé par
 le fournisseur d’approbation." }) }) }

Environment:

  • OS: Archlinux & Windows 10
  • rustc 1.53.0 (53cb7b09b 2021-06-17)

I try to check and check and double check everything, I don't understand why it doesn't work.

Stargateur commented

wtf so sorry I totally mix up my tab