Can't use a self-signed certificate without using danger_accept_invalid_certs

[mrcz]

I'm trying to POST to an external http server which uses a self signed certificate. I have put this certificate in a PEM file that I read using Certificate::from_pem and pass to Client::builder(). This worked on macOS using native TLS, but after I switched to rustls-tls I need to also call (on both macOS and Linux):

Client::builder()
    // ...
    .add_root_certificate(config.server_certificate)
    .danger_accept_invalid_certs(true)      // <- required with rustls-tls
    .use_rustls_tls();                      // <- required with rustls-tls

Why is this? I don't want to accept invalid certificates, just trust the provided server certificate. (There is no chain of certificates, just one)

The error I get is:

source: hyper::Error(Connect, Custom { kind: Other, error: Custom { kind: InvalidData, error: InvalidCertificateData("invalid peer certificate: UnknownIssuer") } })

[seanmonstar]

I don't know what the exact reason is, but sounds like something to file with the rustls repo.

[agu3rra]

I am facing the exact same issue @mrcz. Did you figure out how to fix it? If so, can you share your solution here?

[mrcz]

No sorry, I did not solve it.

[gliderkite]

I was having a similar issue where when using cURL to query the server everything was working as expected, but I was getting the error InvalidCertificateData("invalid peer certificate: UnknownIssuer") with

reqwest = { version = "0.11", default-features = false, features = ["rustls-tls"] }

unless I created the client by setting .danger_accept_invalid_certs(true).

I solved it by changing the feature to rustls-tls-native-roots.

[git-noise]

Hello,
@agu3rra @mrcz

Not too sure if it helps, but on my end I have no issue in using something like the following:

ClientBuilder::new()
  .add_root_certificate(server_certificate)
  .use_rustls_tls()
  .min_tls_version(Version::TLS_1_3)
  .build()

I do not think that using danger_accept_invalid_certs() is necessary.

[mrcz]

Thanks for helping out, however I tried again now, and I still get error: InvalidCertificate(UnknownIssuer) unless I use danger_accept_invalid_certs(). So server_certificate is self signed in your case and it still works?

[git-noise]

Oh wait, I re-read your initial issue more carefully. In my case it is not a self-signed certificate, it is a certificate signed by a self-signed chain, and I pass the chain. Sorry for the noise, it probably won't solve anything for you unless you have at least one level of signature so to speak. my code snippet should read more like:

ClientBuilder::new()
  .add_root_certificate(chain_certificate)
  .use_rustls_tls()
  .min_tls_version(Version::TLS_1_3)
  .build()

[jregistr]

FWIW, I also got this error

error trying to connect: invalid peer certificate: UnknownIssuer

but I got this while running my code in a container on google cloud run. Installing ca-certificates in my container fixed it

RUN apt-get update && apt-get install -y ca-certificates