[Bug] Broken download for ephemeral_server due to wrong CA

[reyder]

What are you really trying to do?

Trying to run tests in CICD using auto downloaded ephemeral_server.

Describe the bug

The pipeline where we try to run the test can access outside internet only via proxy. So downloading anything via SSL requires adding our own CA either to CA root ot by appending it via some env variable. We automatically do both and it works everywhere except in pipeline that is downloading ephemeral_server to execute unit tests.

The problem is this:

sdk-core/core/Cargo.toml

Line 56 in c27b739

reqwest = { version = "0.12", features = ["json", "stream", "rustls-tls"], default-features = false, optional = true }

rustls-tls feature == rustls-tls-webpki-roots (https://github.com/rustls/webpki-roots)

That means that downloading ephemeral_server will be validated only via Hardcoded Mozilla's trusted root certificates and nothing else. System root CA is not included and it is not possible to append any other CA via ENV variable.

I suggest switching to rustls-tls-native-roots. This feature also allows to append custom CA for validation.

Minimal Reproduction

running test via

from temporalio.testing import WorkflowEnvironment

env = await WorkflowEnvironment.start_local()

in an environment where access to outside is provided via self sign proxy

Environment/Versions

• OS and processor: Linux x86_64/CICD/Jenkins
• Temporal Version: latest
• Are you using Docker or Kubernetes or building Temporal from source? Using provided temporal pkgs

[cretz]

Yes, we should use system roots and we should fix (I think we incorrectly assumed this was the default).

In the meantime, you can download/extract the CLI yourself and set the executable path as dev_server_existing_path= which will prevent this default download approach.