Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Looks like rustls doesn't support Letsencrypt wildcard certs #37

Closed
Slach opened this issue Jan 14, 2024 · 4 comments · Fixed by #41
Closed

Looks like rustls doesn't support Letsencrypt wildcard certs #37

Slach opened this issue Jan 14, 2024 · 4 comments · Fixed by #41
Assignees
@azat

Comments

@Slach
Copy link

Slach commented Jan 14, 2024

Latest build doesn;t work
0.6.1 works fine

Step to reproduce

curl -o /tmp/chdig-latest_amd64.deb -L https://github.com/azat/chdig/releases/download/latest/chdig-latest_amd64.deb
sudo dpkg -i /tmp/chdig-latest_amd64.deb

RUST_BACKTRACE=1 chdig --url="tcp://demo:[email protected]:9440/?secure=true"

return

Error: Cannot connect to ClickHouse at tcp://[email protected]:9440/?secure=true (Connections error: `Input/output error: `invalid peer certificate: UnknownIssuer``)

without stacktrace ;(

i tried to search UnknownIssuer in rustls repo
first found rustls/rustls#841 (comment)
but our certs contains SAN

openssl s_client -connect github.demo.altinity.cloud:9440 | openssl x509 -noout -text | grep DNS

depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = *.demo.altinity.cloud
verify return:1

DNS:*.demo.altinity.cloud, DNS:*.internal.demo.altinity.cloud

           Authority Information Access:
                OCSP - URI:http://r3.o.lencr.org
                CA Issuers - URI:http://r3.i.lencr.org/
            X509v3 Subject Alternative Name:
                DNS:*.demo.altinity.cloud, DNS:*.internal.demo.altinity.cloud
@azat
Copy link
Owner

azat commented Jan 15, 2024

First of all thank you for the demo host!

without stacktrace ;(

I do have stacktrace, maybe the problem is windows + crossterm backend

i tried to search UnknownIssuer in rustls repo

This error should be a sign of invalid issuer, so it does not know some root cert in the chain

but our certs contains SAN

Subject Alternative Name supported by rustls, as well as wildcards.

For now unsafe workaround is to add skip_verify=true into --url, in the mean time I will take a look how to fix it properly.

@azat azat self-assigned this Jan 15, 2024
@Slach
Copy link
Author

Slach commented Jan 15, 2024

I do have stacktrace, maybe the problem is windows + crossterm backend

No, i got error under Ubuntu linux, install from chdig-latest_amd64.deb

@Slach
Copy link
Author

Slach commented Jan 15, 2024

This error should be a sign of invalid issuer, so it does not know some root cert in the chain

But 0.6.1 works good. Or in 0.6.1 skip_verify=true by default?

@azat azat mentioned this issue Jan 23, 2024
Merged
@azat azat closed this as completed in 6594bae Jan 23, 2024
@azat
Copy link
Owner

azat commented Jan 23, 2024

Or in 0.6.1 skip_verify=true by default?

No, 0.6.1 does not have rustls.
Anyway the problem had been fixed in #41.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@azat azat

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Load root certificates for rustls (fixes letsencrypt that are used for *.cloud) azat/chdig
2 participants
@Slach @azat