-
-
Notifications
You must be signed in to change notification settings - Fork 197
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Certificate not trusted? #143
Comments
I just ran into this on macOS as well. I have some tests that reproduce this error easily, if needed, with locally generated certificates. macOS: 10.15.1 (19B88), native-tls 0.2.3. |
That error is returned from the underlying Security.framework library, so I'm not sure how much there is to do on the native-tls side of things. Apple did change their verification logic in 10.15 though: https://support.apple.com/en-us/HT210176. |
Yeah, I'm a little worried Apple has locked this down a bit more, I'm worried it's going to be a big pain trying to work around it. We'll see. |
For what it's worth, I ran into this issue before upgrading to OSX 10.15.1 (Catalina). OSX 10.14 (Mojave) exhibited the same behavior. |
Same here, and it looks like it works on Linux & Win. |
@sfackler are you closing this because it’s believed that building keys in accordance with Apple’s new guidelines will resolve the issue? |
I'm closing it because I don't believe there are any actions to take in this library. |
Note that you may be able to get a more specific reason for macOS rejecting the sever cert by opening the Console app, limiting logs to your process, and searching for My process logged A workaround is to:
If you only have the CA cert, you can read the server cert with: echo "" | /opt/homebrew/opt/openssl@1.1/bin/openssl s_client -connect 1.2.3.4:3306 -showcerts -CAfile /x/ca-cert.pem
# For databases:
# -starttls mysql
# -starttls postgres and then copy/paste the |
Using the lib, I get
Failure(Error { code: -67843, message: "The certificate was not trusted." }
when trying to accessds.us-east-1.amazonaws.com
. However, I tried accessing it using other tls libs, like Golang or Java version, and the certificate looks good. Also, Firefox is seeing it as valid certificate, while Google Chrome is not, so it looks like there is something specific with this credential that is not handled by Google Chrome orrust-native-tls
, but it is handled by most browsers and tls libs that I have tried. You can find the cert on: http://crt.sca1b.amazontrust.com/sca1b.crt.P.S. I was testing this on OS X. I will try on Linux/Windows as well, and I will try to pinpoint the exact problem with the cert. I will update the issue if I find any new useful information. Might be a
libc
, but I am not sure.The text was updated successfully, but these errors were encountered: