salmon-nest-5801
05/01/2021, 10:22 PMREQUESTS_CA_BUNDLE
and PIP_CERT
, etc. I've also experimented with PANTS_CA_CERTS_PATH
and --ca-certs-path=${SSL_CERT_FILE}
(the variable being a handy reference to the bundle I generated). But regardless of what I set, I always get the following when trying to do anything other than --version
with pants:
Exception: Error downloading file: error sending request for url (<https://github.com/pantsbuild/pex/releases/download/v2.1.35/pex>): error trying to connect: invalid certificate: BadDER
I thought maybe there was some sort of issue with pants not liking the openssl that homebrew has installed, and that maybe I needed to rebuild it from sources, so I attempted that - same output. I have longer logs from that if anyone wants to see (I didn't post them here as this is already too long). Regardless of what I set, if I set those variables, if I don't set them, I get the same response. I know pip
and anything requests
based work perfectly fine on my system - I needed those awhile ago and I sorted them out; I know for sure that the generated bundle works perfectly fine with those tools, and other things like pip
, pipenv
, poetry
, etc.
Any ideas? I'm just looking for a workaround that isn't getting out from behind the SSL Inspection server (I could, but then this won't work for anyone if they're ever inside the company intranet, and that's not really a solution). I can set whatever complicated environment I need. I know I could host the artifacts myself a-la proxy limitations, but I'd really rather not do that either. I really think this should work, I just can't figure out why it doesn't.fast-nail-55400
05/01/2021, 11:10 PMpex
is downloaded via the download intrinsic of the Rust engine. Thus, configuring Python HTTP libraries would not have any effect on the Rust code since the Rust code is using the reqwest
crate.average-vr-56795
05/01/2021, 11:12 PMfast-nail-55400
05/01/2021, 11:13 PM// These certs are for downloads, not to be confused with the ones used for remoting.
let ca_certs = Self::load_certificates(ca_certs_path)?;
let http_client_builder = ca_certs
.iter()
.fold(reqwest::Client::builder(), |builder, cert| {
builder.add_root_certificate(cert.clone())
});
let http_client = http_client_builder
.build()
.map_err(|err| format!("Error building HTTP client: {}", err))?;
salmon-nest-5801
05/01/2021, 11:20 PMreqwest
connects to the server. Is it not using openssl under the covers? I'm kind of surprised - the bundle I have (which does include this additional CA) is in a place that homebrew openssl intrinsincally knows to find on this machine...fast-nail-55400
05/01/2021, 11:22 PMreqwest
crate is configured to use rustls
(which is a Rust implementation of TLS)salmon-nest-5801
05/01/2021, 11:23 PMfast-nail-55400
05/01/2021, 11:24 PM-ldebug --log-show-rust-3rdparty --show-log-target
salmon-nest-5801
05/01/2021, 11:25 PMfast-nail-55400
05/01/2021, 11:25 PMreqwest
and rustls
salmon-nest-5801
05/01/2021, 11:25 PMfast-nail-55400
05/01/2021, 11:35 PMAh, that’d do it. Any particular reason? That’s fine as long as it handles the same inputs (or the differences are documented)rustls doesn’t suffer from the memory unsafety issues of C which openssl is written in
salmon-nest-5801
05/01/2021, 11:40 PMfast-nail-55400
05/01/2021, 11:43 PMinvalid certificate: BadDER
salmon-nest-5801
05/01/2021, 11:44 PMfast-nail-55400
05/01/2021, 11:45 PMsalmon-nest-5801
05/01/2021, 11:47 PMfast-nail-55400
05/02/2021, 12:53 AMhappy-kitchen-89482
05/03/2021, 12:37 PMsalmon-nest-5801
05/03/2021, 8:05 PM