-
Notifications
You must be signed in to change notification settings - Fork 252
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Volta does not use all certificates in the system CA certificate store, making corporate use difficult #1629
Comments
Thank for flagging this up, @gabrielbauman – it certainly seems reasonable to use the system CA cert store! @charlespierce can likely comment further and possibly point in the right direction for where our implementation internals will need to change to pull that off, but as you might expect he (and most of the rest of us!) are largely on vacation this week. |
I think this is likely related to the swap from linking with OpenSSL to using RustTLS statically. Based on a quick search, I think we might need to take a look at using the References: |
Hi @gabrielbauman, which version of Volta are you on? In the 1.1.1 Release of Volta, we updated our network handling to use the native certificate store (using the |
Sorry, should have included version in the original issue. Happy New Year! |
Hi @gabrielbauman, thanks for verifying the version. That's very odd, since as I mentioned, we are currently set up to use the system root certificate store. I wonder if this is a case that the specific certificate is in a format that our underlying HTTPS implentation (attohttpc) doesn't recognize. That's very much a stab in the dark, however, and I'm not at all sure how to test that hypothesis. |
It's a bog-standard cert in PEM format. I would be really surprised if that were the issue, especially since wget and other command-line apps work fine. I've now tested this on another laptop running latest fedora - same issue. Have you tried adding a self-signed cert to your system? Let me know if there's anything I can test for you. |
@gabrielbauman Thanks for confirming. That's not surprising, though it makes it harder to really understand what's going on. Out of curiosity, do you know how / where the certificate is installed onto the system? Full disclosure, I'm not an expert in the underpinnings of the certificates, but from reading through the code I'm wondering if it comes down to this issue in one of our transitive dependencies: rustls/rustls-native-certs#9 It looks like on Linux, if the certificate is installed using the "hash directory", where it's put into a specific directory and given a specific name (the hash of the certificate with |
Ubuntu wants .pem files, but renamed to .crt. So here's how I install the cert:
This creates two symlinks in /etc/ssl/certs:
As you can see, if a symlink to a root certificate is present in /etc/ssl/certs, Ubuntu uses it. At this point curl, wget and all other system utilities see and accept the certificate; Volta does not. You can see that the "hash" link is created, but there's also a simple |
@gabrielbauman Thanks, I think that helps narrow it down! It looks like I'm reaching out to the projects involved (rustls-native-certs and openssl-probe) to see if there's something we can do to make sure the behavior matches that of apps such as As a quick check & potential workaround, does that file ( |
Yes,
So no, no change with the environment variable set. I did see that node has a similar env var set:
|
Interesting! That's a major clue, though also a big setback. It seems like it's not related to not finding the certificate, rather it's something else going on that's causing the problem. Setting It seems like it may be something related to the certificate itself. I'll do some deeper digging on the error messages, maybe there's a set of failure conditions we can narrow down that would cause it. Thank you again for the iteration and debugging, it's super helpful! |
Happy to help, thanks for taking the time to look at what's definitely an edge case that doesn't affect most users. We know the cert is read by the Volta/the crate (regardless of the env variable being set) because the error message in the log complains that it's self-issued: We know that the certificate is in a valid format (of course it is, other apps can also see and use it, and volta is happily parsing it before deciding to ignore it) Something in Volta or a dep is rejecting the cert because it has an unknown issuer - but that's true of all CA roots! They are the ultimate authority. There's no one to issue a CA root. And most CA roots on my system are seen and used by volta. Looking at the certificate, the sig is SHA512 with ECDSA and it is properly marked as a CA (you can download for yourself here) Maybe the error is misleading and there's something about the cert that your dependency can't handle. Let m know if there's anything else I can do to help. |
Ah ha, I think I found the issue! It looks like
It appears there's some active work (or at least active as of a couple weeks ago) in If that works stalls, there's also the possibility of using a different crypto provider— |
Has any progress been made on this issue? We have been using Volta for some time until they rolled out WARP and now we have had to revert back to NVM. |
Unfortunately, no. The maintainers have all been swamped, and it looks like at least some of what we would need is still blocked upstream, per the comment before this one. |
I had to downgrade to v1.08 to be able to use volta again. We have a self-signed certificate along with a proxy and the changes in v1.1 seem to have some breaking changes. |
I did this, |
Hello!
Volta does not appear to use all certificates installed in the system CA certificate store.
This is a problem for corporate developers who are required to trust a company CA to allow their administrators to see all encrypted traffic. For example, our company uses Cloudflare Zero Trust and their CA root is trusted by my system (ubuntu).
Here's what this looks like:
The error log shows:
However other apps that DO use all certs in the system CA certificate store work just fine:
Many users, particularly those who've had their laptops set up by an IT department, will be completely unaware that a company CA has been installed or that their SSL traffic is man-in-the-middled by corporate. However, uninstalling the CA or circumventing it are often grounds for disciplinary action.
Could volta please be adjusted to use all CA certificates installed in the system for outbound HTTPS connections?
The text was updated successfully, but these errors were encountered: