Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pgrx init doesn't work with self-signed certificate #1430

Closed
tumluliu opened this issue Dec 10, 2023 · 4 comments
Closed

pgrx init doesn't work with self-signed certificate #1430

tumluliu opened this issue Dec 10, 2023 · 4 comments
Labels
bug Something isn't working

Comments

@tumluliu
Copy link

tumluliu commented Dec 10, 2023
edited
Loading

Hi there, thanks for making this amazing framework. I however has hit the wall behind a coporation proxy as we are using our own certificate:

❯ cargo pgrx init
Error:
   0: unable to retrieve https://www.postgresql.org/versions.rss
   1: https://www.postgresql.org/versions.rss: Connection Failed: tls connection init failed: invalid peer certificate: UnknownIssuer
   2: invalid peer certificate: UnknownIssuer

Location:
   /home/xx/.cargo/registry/src/index.crates.io-6f17d22bba15001f/cargo-pgrx-0.11.2/src/command/version.rs:42

  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ SPANTRACE ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

   0: cargo_pgrx::command::init::execute
      at /home/xx/.cargo/registry/src/index.crates.io-6f17d22bba15001f/cargo-pgrx-0.11.2/src/command/init.rs:83

I took a very quick look at the code from version.rs here and it seems it caused by the ureq Agent you created is using the default webpki-roots instead of the OS' trust store (refs: 1, 2 ). So I guess it's not very easy to change this behaviour without modifying the mod.rs codes? But I'm not sure since I'm neither an expert in security nor in rust. I'm wondering if there is a quick way to bypass this cert complaint when running init. Could you provide some hints? Thanks again!

p.s. my env: Ubuntu 22.04 Linux
@eeeebbbbrrrr eeeebbbbrrrr added the bug Something isn't working label Dec 11, 2023
@workingjubilee
Copy link
Member

If setting HTTPS_PROXY doesn't fix it, then there is no quick way and it does require modifying the code using rustls-native-certs.

@tumluliu
Copy link
Author

If setting HTTPS_PROXY doesn't fix it, then there is no quick way and it does require modifying the code using rustls-native-certs.

Thanks @workingjubilee . I do have HTTP_PROXY, HTTPS_PROXY and NO_RPOXY settings from my internal env all the time, together with a self-signed certificate. This is how my apt, pip, npm, cargo etc. works. If possible, please include the support for rustls-native-certs in the upcoming releases as I am internally testing the feasibility of pgrx. Thanks very very much

@eeeebbbbrrrr eeeebbbbrrrr mentioned this issue Dec 18, 2023
Closed
@jirutka jirutka mentioned this issue Dec 27, 2023
Merged
workingjubilee pushed a commit that referenced this issue Dec 27, 2023
@jirutka
Allow to build cargo-pgrx either with rustls (default) or native-tls (#…
2990104 
…1448)

ureq defines `default = ["tls", "gzip"]`, so "tls" feature (rustls) is
currently always enabled even when native-tls is preferred, i.e. both
rustls and native-tls is built if openssl headers are available and the
user cannot opt-out from using rustls. This also disallows building
cargo-pgrx on platforms not supported by the ring crate (dependency of
rustls).

This should also solve #1430 if `cargo-pgrx` is built with
`--no-default-features --features native-tls`.
@workingjubilee workingjubilee mentioned this issue Dec 27, 2023
Merged
workingjubilee added a commit that referenced this issue Dec 27, 2023
@workingjubilee
Use native-certs with ureq (#1449)
614456e 
I first settled down to write up something using `rustls-native_certs`
but then I actually noticed ureq simply enables this with a feature.

This should fully solve #1430 for both rustls and native-tls.
@workingjubilee
Copy link
Member

workingjubilee commented Dec 27, 2023
edited
Loading

With #1448 and #1449 this should be solved for either the rustls or native-tls builds of cargo-pgrx.

@tumluliu Please test this using cargo install --path cargo-pgrx --no-default-features --features rustls after cloning the repository and pulling the latest develop. You may also want to try using --no-default-features --features native-tls. One of them should work for you. Please let us know which ones you tested, and which ones work. And please feel free to reopen this issue if neither do.

@tumluliu
Copy link
Author

tumluliu commented Jan 8, 2024

@workingjubilee sorry for the late reply and thanks a lot for the fix! We have tried cargo install --path cargo-pgrx --no-default-features --features rustls and it worked well with the self-signed certificate. So it can be confirmed as fixed from my end

workingjubilee pushed a commit that referenced this issue Jan 24, 2024
@jirutka @workingjubilee
Allow to build cargo-pgrx either with rustls (default) or native-tls (#…
d2f634b 
…1448)

ureq defines `default = ["tls", "gzip"]`, so "tls" feature (rustls) is
currently always enabled even when native-tls is preferred, i.e. both
rustls and native-tls is built if openssl headers are available and the
user cannot opt-out from using rustls. This also disallows building
cargo-pgrx on platforms not supported by the ring crate (dependency of
rustls).

This should also solve #1430 if `cargo-pgrx` is built with
`--no-default-features --features native-tls`.
workingjubilee added a commit that referenced this issue Jan 24, 2024
@workingjubilee
Use native-certs with ureq (#1449)
3d349ce 
I first settled down to write up something using `rustls-native_certs`
but then I actually noticed ureq simply enables this with a feature.

This should fully solve #1430 for both rustls and native-tls.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tumluliu @eeeebbbbrrrr @workingjubilee