-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fetching https://1.1.1.1 or any other bare IP address fails with 'invalid dnsname' #7660
Comments
I'm trying to do something similar and I believe this issue has its roots deep down the Rust ecosystem. Deno's Inside that Cargo.toml, we see that the reqwest build uses rustls (https://github.com/denoland/deno/blob/master/op_crates/fetch/Cargo.toml#L18) There is currently a limitation using Rustls when sending http requests to plain ip addresses (see rustls/rustls#281) which seems to stem from briansmith/webpki#54, an issue which has been open for 3 years. It seems there's not much you can do right now to get around this limitation apart from using a third-party request library which doesn't use rustls |
https://github.com/http-rs/surf |
https://github.com/async-email/async-native-tls |
Still won't work for GKE and other clusters until something happens for denoland/deno#7660
Any plans to support this with the native fetch implementation? This would be really nice for home automation projects. Edit: in the meantime, anyone who runs into this can create an entry in their hosts file as a workaround. |
I think it's reasonable to look for alternatives to rustls that don't rely on webpki. Even if the dns issue was resolved, there are other issues that seem to have just been abandoned, like support for self signed certificates. |
Deno supports self signed CA certificates through all available TLS APIs: Also I want to note that Brian seems to have continued work on this in WebPKI, so maybe we will see some progress soon. |
Yeah there's no winning when it comes to TLS 😑😔
Don't get me wrong I think you guys did a great job! ❤️ ✨ My specific use case involves shipping a binary (thanks to deno compile! ✨ ), to end users Native IP addresses not working makes this already pretty difficult 😅. Anyways, looks like there's just waiting that Brian becomes more responsive, |
This is untrue for Deno. We have tests validating that this works. You can use self signed CA certificates with Deno for all our TLS related APIs. |
Famous last words 😆
|
Hello, this exact problem is probably off-topic for this thread, which is that Deno cannot connect to IP address hosts using HTTPS. However, I can confirm that Deno has the above message when you try using a CA certificate directly on a server. I have a personal CA and just loaded up Deno HTTPS server using it. Resulting in:
That being said, Google Chrome is also refusing to establish a connection:
as well as curl:
Wow, it looks like wget's only problem is the hostname being wrong 😅
Surely I'd be able to golf a bit with the certificate's usage flags to get one that works elsewhere, and while I'm there I could fix the CA flag as well. It's unfortunate that the rust TLS ecosystem is acting a bit stagnant. I personally am quite blocked by the IP address issue, to the point where I'm writing code like |
Any updates about the progress of a possible fix for this issue, it seems to have been slept on. |
This has not been slept on. This is blocked on upstream missing support in |
@somethingelseentirely CA cert and TLS cert can not be the same - in you case it looks like they are. |
Going to see if I can drive this forward a little bit, because.. well.. I love Deno, but this was rather painful for me. So as I understand it, connecting to a Postgres Database with no DNS, just a hostname, using TLS, currently fails. Small code sample: await Deno.connectTls({
hostname: "34.76.80.151",
port: 5432,
certFile: "server-ca.pem",
}); Let's see if we can get that one step closer to working 💪 ! |
Straight off it's kinda odd that the docs give examples that don't work, and the default argument to |
Based on this quote and my own use-case for this feature, perhaps a more practical step forward would be adding a parameter to replicate the
I'd be ok telling Deno those servernames ^^ if it means avoiding 'invalid dnsname'. Of course the title issue should still be fixed, but upstream movement on it seems to be pretty slow. |
If a DNS record has multiple entries can you force Deno in the fetch to try another entry? |
I suppose the answer is no for the time being. We'll have to wait before |
I've been quiet for a year or so :) just checking in. It looks like the error message is different nowadays (Deno 1.29.1) for IPv4:
Interestingly, IPv6 IPs still just report And, in fact, the request does now work with Looking upstream, it seems rustls 0.21.0 will include a step towards this issue. I look forward to seeing where that goes: |
I forgot to mention a workaround: Minimal example with https://1.1.1.1: const tcp = await Deno.connect({ hostname: '1.1.1.1', port: 443 }); // the host we want to connect to
const tls = await Deno.startTls(tcp, { hostname: 'one.one.one.one' }); // the host we want to handshake with
// Send a raw HTTP request, and print the raw HTTP response:
await tls.write(new TextEncoder().encode('GET /healthz HTTP/1.1\r\nHost: 1.1.1.1\r\nConnection: close\r\n\r\n'));
for await (const text of tls.readable.pipeThrough(new TextDecoderStream())) {
console.log(text);
} Also, I published import { fetchUsing, TlsDialer } from "https://deno.land/x/[email protected]/mod.ts";
const dialer = new TlsDialer({ hostname: "one.one.one.one" });
const resp = await fetchUsing(dialer, "https://1.1.1.1/");
console.log(await resp.text()); This |
https://www.memorysafety.org/blog/rustls-new-features/
|
This commit adds support for connecting to IP addresses over HTTPS. This is done by updating "rustls" to "0.21.0" and other related crates. Closes #7660 Closes #17967 --------- Co-authored-by: Divy Srivastava <[email protected]>
thank you!! |
This commit adds support for connecting to IP addresses over HTTPS. This is done by updating "rustls" to "0.21.0" and other related crates. Closes #7660 Closes #17967 --------- Co-authored-by: Divy Srivastava <[email protected]>
HTTPS fetch with bare IPv4 address fails:
HTTPS fetch with bare IPv6 address fails:
Real curl is fine:
HTTPS fetch with DNS name that resolves to said IP addresses works:
The text was updated successfully, but these errors were encountered: