New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
1.1.0 causes SSL error downloading node with custom CA certs #1427
Comments
To my understanding the latest version uses an integrated certificate store and there is no way to override it. A solution has already been merged, but there has been no release |
See this PR: #1375 |
@olivierlacan Thanks for reporting! As @trallnag said, this is very likely caused by Volta 1.1.0 using an internal certificate store rather than the system-native one. The newly-released Volta 1.1.1 includes the above fix to make Volta properly use the system-native certificates, so it should work for this case. If it doesn't, please let us know so we can dig in deeper to figure out why we aren't getting the appropriate certificates! |
@charlespierce Thanks for the release. It fixed the issue for me on the install side, regardless of whether I had the Zscaler CA in my local OpenSSL bundle, so it seems like volta is appropriately deferring to OS-level certs.
However there is an interesting 10+ second pause prior to the download progress bar actually moving which seems worth noting since I don't recall seeing downloads ever hang for that long. I wonder if the TLS handshake process is somehow delaying the download in some way. Below is a screencast demonstrating the issue. Occasionally downloads seem to pause midstream as well, and randomly resume a few seconds later. So maybe that rules out the handshake issue. volta-1-1-1-node-download-hangs.mp4I did check if I had any noticeable packet loss and couldn't isolate that as a variable:
This pausing behavior may be entirely unrelated and due to my system or my network so I'm closing this issue since it's effectively fixed. But it might be worth getting some macOS users to try and reproduce the hangs. If there are verbose debug flags I can pass to Volta without messing with the source so it can display verbose cURL output, let me know and I'll try with those. |
This sounds like some kind of enterprise security product that slows down the stream artificially to have more time for scanning. I guess this Zscaler certificate is part of a product that does TLS inspection? |
I've dug into this enough to know that installing any other version than Volta 1.1.0 resolves the issue.
I have a feeling Volta's removal of the OpenSSL dependency means it is now incompatible with zero-trust tools like Zscaler which require custom Certificate Authority certificates installed at the OS level (macOS Ventura 13.1 in my case).
After installing v1.1.0:
Indeed the swallowed error is an Invalid Peer Certificate error:
ZScaler is fully trusted in macOS Keychain on my system:
If Volta pinged my local openssl it should be getting the appropriate CA certs as my local (Homebrew-installed)
openssl
shows:Right now I'm not sure how to get volta to use the appropriate CA chain to make SSL requests under v1.1.0 so I have to downgrade and tell my teammates to avoid upgrading volta.
Could be related to #1035 but no one specified their versions in this issue thread so I can't be sure.
The text was updated successfully, but these errors were encountered: