Error fetching release: io: invalid peer certificate: UnknownIssuer

[rrrix]

My organization uses advanced firewalls ("NGFW") which perform real-time inline SSL/TLS decryption & re-encryption, and as a result the TLS certificate which my hosts running dra see is a custom, non-public certificate signed by a private certificate authority.

This is a common scenario in large enterprise and institutional networks.

uv (also written in Rust) solves this problem by supporting a CLI flag + Environment Variable --native-tls which uses the Host OS Trusted CA store.

I believe uv uses rustls-platform-verifier (or a derivative thereof) to do this, but I'm a rust noob so I'm not exaclty sure of the mechanism.

Can dra get a --native-tls style option, pretty please? I can't use it without host/custom root CA support.

Thanks!

The error I get when using dra:

$ dra untag devmatteini/dra
Error fetching release: io: invalid peer certificate: UnknownIssuer

github.com TLS Certificate inspection:

$ openssl s_client -connect github.com:443 </dev/null 2>/dev/null | openssl x509 -noout -subject -issuer
subject=CN=github.com
issuer=C=US, ST=CA, O=<redacted>, OU=IT, CN=decrypt.<redacted>.com

[devmatteini]

Hi!

I'm happy to help, just need to figure out how to test this. Do you have any suggestions to create a minimal environment where I can do these tests?

It seems we need to enable a feature of ureq, the http client to make it work.

[rrrix]

There are various ways to test this - I suppose it depends if you want a fully automated (e.g. GitHub Actions CI/CD) test environment, versus an ad-hoc or local-only test environment.

The first test (hopefully, obviously) would be enabling Native TLS and ensuring everything works as is, with no TLS interception or custom certificates and such.

I believe the easiest way to test a "custom certificate" scenarios would be to use a combination of mkcert and mitmproxy:

• github.comFiloSottile/mkcert
• github.com/mitmproxy/mitmproxy

You would use mkcert to generate a new TLS certificate chain which is installed into your local system trusted root CA, and then use the certificate and private key with mitmproxy to perform the testing.

mitmproxy supports a variety of modes, from basic HTTP/S proxying, to inline interception with Wireguard or custom network routing.

Assuming dra supports HTTPS/SOCKS proxies - The easiest would be to use just a basic HTTPS ("mitmproxy regular") or SOCKS5 style proxy that uses a custom certificate on the proxy itself.

Can you share a little more about how you would like to perform testing for this? Perhaps I can give you a more detailed recommendation and/or examples to help you get started.

• Local Desktop Environment (e.g. macOS, Windows, Linux desktop?)
• Automated in CI - GitHub Actions?

[devmatteini]

Hi! I really appreciate your help, thanks!

Assuming dra supports HTTPS/SOCKS proxies

Yes, it does support that.

Can you share a little more about how you would like to perform testing for this?

I would like to have automated tests in CI, and being able to also run them locally.
Preferably using a docker container with everything configured, where you just need to execute dra. I already do that for some tests to install debian packages, so it would be pretty easy to integrate in the test suite.