feat(cli): Obtain CA certificates from platform trust store; add NEXTCLADE_EXTRA_CA_CERTS / --extra-ca-certs
#1536
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…verifier" This reverts commit ed94c59, reversing changes made to 48801fa. Related-to: <#1529 (comment)>
…L trust store Previously, the platform's trust store was ignored in favor of a baked in and unconfigurable trust store provided by webpki-roots. Now the reqwest trust store will contain both certs obtained from the platform at run time as well as certs baked in via webpki-roots. Obtaining certs from the platform means that Nextclade will respect OS-level configuration to trust private CAs / self-signed certs. Keeping webpki-roots for all platforms is a precaution that makes this change merely additive for backwards compatibility, in case of platforms which lack a trust store (like some Linux containers) or platforms with out-of-date trust stores. It means that Nextclade binaries should continue to Just Work™. reqwest uses rustls-native-roots to obtain trusted CA certificates from the standard trust stores for the OS/platform. See the crate's documentation for details on each platform.¹ Notably, this does not use the platform's standard certificate verification methods like rustls-platform-verifier; it just extracts certificates. We may in the future want to switch to rustls-platform-verifier (ourselves or by waiting for reqwest to do so). Updates reqwest because an earlier (but problematic and now reverted²) change did so and there were some public API changes I'd like to use. Updates wasm-bindgen as necessary for the newer reqwest (≥0.2.89) and then a little further (0.2.93) to avoid Clippy warnings.³ ¹ <https://docs.rs/crate/rustls-native-certs/0.8.0> ² <#1529 (comment)>. ³ <rustwasm/wasm-bindgen#3985> Resolves: <#726> Related-to: <#1529> Related-to: <#1527>
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
This was referenced Oct 16, 2024
Closed
…d --extra-ca-certs option Allows adding additional CA certificates to the trust store specifically for Nextclade, for when modifying the system's trust store isn't desirable/possible. Works across all platforms. An option may be preferred to an env var by some users or in some invocations. It also provides a convenient place for documentation of default CA cert handling and point of discovery for users. Co-authored-by: ivan-aksamentov <[email protected]> Supersedes: <#1527> Related-to: <#1529> Related-to: <#726>
tsibley
force-pushed
the
trs/rustls-tls-native-roots
branch
from
cf7a08e to
08b32e5
Compare
tsibley
added a commit
that referenced
this pull request
Oct 16, 2024
…page Updates clap-markdown from 0.1.3 → 0.1.4 to do so. I noticed these were missing with the addition of --extra-ca-certs¹ and traced it down to clap-markdown's version. ¹ in <#1536>
tsibley
changed the title
NEXTCLADE_EXTRA_CA_CERTS / --extra-ca-certsNEXTCLADE_EXTRA_CA_CERTS / --extra-ca-certs
tsibley
added a commit
to nextstrain/docs.nextstrain.org
that referenced
this pull request
Oct 21, 2024
…igurability Not having to say here, "There's nothing you can do", was the driving reason for me adding said configurability to Nextclade in the first place! Related-to: <nextstrain/nextclade#1536>
2 tasks
tsibley
added a commit
to nextstrain/docs.nextstrain.org
that referenced
this pull request
Oct 22, 2024
…igurability Not having to say here, "There's nothing you can do", was the driving reason for me adding said configurability to Nextclade in the first place! Related-to: <nextstrain/nextclade#1536>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See commit messages.
Fixes issues with previously-merged #1529. Supersedes #1527.