panics "no CA certificates found"

[doums]

Hi,

I have a project which have indirect dependency to hyper-rustls. During runtime, the binary panics:

thread '<unnamed>' panicked at 'no CA certificates found', /home/pierre/.cargo/registry/src/github.com-1ecc6299db9ec82
3/hyper-rustls-0.22.1/src/connector.rs:45:13

The version is 0.22.1.
Note that the crash happens on Android device.

[djc]

How did you build a configuration? If you used with_native_roots(), this issue report probably makes more sense in the rustls-native-certs repo (I can move it for you if you like). The Unix implementation for that lives in https://github.com/rustls/rustls-native-certs/blob/main/src/unix.rs and depends on the openssl_probe crate. A workaround might be to use with_webpki_roots() instead, which basically bakes the certificates into your Rust binary at compile time.

[cpu]

@doums Can you provide more information on your configuration so that we can file an issue with rustls-native-certs?

[aaronArinder]

hola, mi amigos; I ran into a similar issue and am using with_native_roots()--hopefully that's helpful

[cpu]

Hi @aaronArinder, thanks for commenting.

Can you share more detail? For example, what platform are you running on and which versions of the relevant crates are in play. It would also be helpful if you have a backtrace or a code snippet that reproduces.

[doums]

Hi!

@doums Can you provide more information on your configuration so that we can file an issue with rustls-native-certs?

Sorry for the response delay. Since our code has changed a lot, and, I don't remember how though, but finally managed to fix/work around the issue.

[51yu]

Hello, I ran into similar isssue

panicked at 'no CA certificates found', /usr/local/cargo/registry/src/index.crates.io-6f17d22bba15001f/hyper-rustls-0.23.2/src/config.rs:48:9

[ctz]

please post:

• the log output up until that point
• details of your environment: operating system version, etc.
  • if linux, please include the version of the ca-certificates package or your distributions equivalent of that.

[kayabaNerve]

https://github.com/rustls/hyper-rustls/blob/main/src/config.rs#L48 is an assertion which happens if there's no certs locally installed. IMO, this method should return a Result with an error on this case (or an Option, which is None if no certs are locally installed).

Checking if certs are locally installed prior to executing this function would require rewriting most of it.

[djc]

I want to challenge for a bit that this shouldn't panic. In your particular use case, how are you going to handle an error from this API?

[kayabaNerve]

Falling back to with_webpki_roots as my use-case doesn't require explicit use of the system roots. I just solely have a preference for them.

Using with_webpki_roots now wouldn't be safe for all use-cases though as some users may explicitly only want to trust the system roots, or may want to work on systems with custom CAs installed.

If with_native_roots is going to panic, I will have to re-implement a check if the system has native roots available to fix the fact this safe function panics on an OS resource which may not exist on a variety of configurations not existing. To do so would require rewriting most of this function, and in order to be safe, would require the documentation of this function to document it panics on this case and only on this case.

[xz-dev]

Falling back to with_webpki_roots as my use-case doesn't require explicit use of the system roots. I just solely have a preference for them.

Using with_webpki_roots now wouldn't be safe for all use-cases though as some users may explicitly only want to trust the system roots, or may want to work on systems with custom CAs installed.

If with_native_roots is going to panic, I will have to re-implement a check if the system has native roots available to fix the fact this safe function panics on an OS resource which may not exist on a variety of configurations not existing. To do so would require rewriting most of this function, and in order to be safe, would require the documentation of this function to document it panics on this case and only on this case.

If you want a similar effect, you can use the following code

fn https_config() -> HttpsConnector<HttpConnector> {
    #[cfg(feature = "webpki-roots")]
    {
        return hyper_rustls::HttpsConnectorBuilder::new()
            .with_webpki_roots()
            .https_only()
            .enable_http1()
            .enable_http2()
            .build();
    }
    #[cfg(not(feature = "webpki-roots"))]
    {
        return hyper_rustls::HttpsConnectorBuilder::new()
            .with_native_roots()
            .https_only()
            .enable_http1()
            .enable_http2()
            .build();
    }
}

[kayabaNerve]

That still panics if the system roots are attempted yet there aren't system roots on the system. That isn't actually falling back at runtime, which is the above discussed flow.

[GrantBirki]

I was getting the same error as well. Tossed the line below into my Debian based Dockerfile and it fixed the issue:

# Update certificate store
RUN apt-get update && apt-get install -y ca-certificates && update-ca-certificates