Certificate not trusted?

[pradovic]

Using the lib, I get Failure(Error { code: -67843, message: "The certificate was not trusted." } when trying to access ds.us-east-1.amazonaws.com. However, I tried accessing it using other tls libs, like Golang or Java version, and the certificate looks good. Also, Firefox is seeing it as valid certificate, while Google Chrome is not, so it looks like there is something specific with this credential that is not handled by Google Chrome or rust-native-tls, but it is handled by most browsers and tls libs that I have tried. You can find the cert on: http://crt.sca1b.amazontrust.com/sca1b.crt.

P.S. I was testing this on OS X. I will try on Linux/Windows as well, and I will try to pinpoint the exact problem with the cert. I will update the issue if I find any new useful information. Might be a libc, but I am not sure.

[bluejekyll]

I just ran into this on macOS as well. I have some tests that reproduce this error easily, if needed, with locally generated certificates. macOS: 10.15.1 (19B88), native-tls 0.2.3.

[sfackler]

That error is returned from the underlying Security.framework library, so I'm not sure how much there is to do on the native-tls side of things. Apple did change their verification logic in 10.15 though: https://support.apple.com/en-us/HT210176.

[bluejekyll]

Yeah, I'm a little worried Apple has locked this down a bit more, I'm worried it's going to be a big pain trying to work around it. We'll see.

[matthewkmayer]

For what it's worth, I ran into this issue before upgrading to OSX 10.15.1 (Catalina). OSX 10.14 (Mojave) exhibited the same behavior.

[pradovic]

Same here, and it looks like it works on Linux & Win.

[bluejekyll]

@sfackler are you closing this because it’s believed that building keys in accordance with Apple’s new guidelines will resolve the issue?

[sfackler]

I'm closing it because I don't believe there are any actions to take in this library.

[broccolihighkicks]

Note that you may be able to get a more specific reason for macOS rejecting the sever cert by opening the Console app, limiting logs to your process, and searching for trust.

My process logged Trust evaluate failure: [leaf ValidityPeriodMaximums], which I think means that the server certificate was rejected because it is valid for 10 years (825 days is the maximum allowed).

A workaround is to:

• Add the CA cert to keychain, set Always Trust
• Add the server cert to keychain, set Always Trust.

If you only have the CA cert, you can read the server cert with:

echo "" | /opt/homebrew/opt/openssl@1.1/bin/openssl s_client -connect 1.2.3.4:3306 -showcerts -CAfile /x/ca-cert.pem

# For databases:
# -starttls mysql 
# -starttls postgres

and then copy/paste the begin...end block to a .pem file.