Certificate Issue in Windows and with Proxy

[ark-]

I use Rust in an corporate environment in Windows.

I sucessfully got cargo to work with the following settings in the .cargo/config file

proxy = "http://<ip>:3128"
check-revoke = false
cainfo = "c:/cert.pem"

Where cert.pem was obtained from my system.

Now, using reqwest I can successfully access HTTP urls using the proxy, however when accessing HTTPS urls I get the following error:

Error { kind: Io(Error { repr: Custom(Custom { kind: Other, error: Error { repr: Os { code: -2146762487, message: "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider." } } }) }), url: Some("https://<website>.com") }

My code looks like so:

fn run_proxy() -> Result<()> {
    let proxy = format!("http://<ip>:3128");

    let mut buf = Vec::new();
    File::open("C:/cert.der")?
        .read_to_end(&mut buf)?;
    let cert = reqwest::Certificate::from_der(&buf)?;

    let url = "https://<website>.com";
    let res = reqwest::Client::builder()
        .unwrap()
        .add_root_certificate(cert)
        .unwrap()
        .proxy(reqwest::Proxy::all(&proxy).unwrap())
        .build()
        .unwrap()
        .get(url)
        .unwrap()
        .send()
        .unwrap();

    println!("{:?}", res.headers());

    let document = Document::from_read(res)?;
    println!("{:?}", document);

    Ok(())
}

Where cert.der is the DER encoded cert.pem seen in the above cargo config.

Am I using the library wrong, or is there a bug in reqwest or its dependencies? Happy to provide more information as required.

[seanmonstar]

The certificate is to be able to speak with the proxy, or with the destination website?

[ark-]

I believe it is the certificate for the proxy, the destination website is just reddit in this case

[seanmonstar]

Hm, and if you don't set the cert, what happens? You cannot connect to the proxy? Can you make requests without the proxy and cert?

[ark-]

HTTPS Tests

With proxy & without cert

Error { repr: Os { code: -2146762487, message: "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider." } } }) }), url: Some("https://reddit.com/r/rust") }

Without proxy & with cert

Runs for a long time, finally giving
Error { repr: Os { code: 10060, message: "A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond." } }), url: Some("https://reddit.com/r/rust") }

Without proxy or cert

Runs for a long time, finally giving
Error { repr: Os { code: 10060, message: "A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond." } }), url: Some("https://reddit.com/r/rust") }

[seanmonstar]

Ah, so it looks like without the proxy, you're hitting a firewall or something that prevents the connection establishing with reddit. With the proxy and no certificate, are you able to connect to HTTP sites (not HTTPS)? I assume that without the certificate, the connection the proxy cannot be trusted, and so no other requests can work.

I'd love to dig further into this, it seems related to the use of schannel on Windows. But to unblock you, there is something you can do if you don't care to dig as well. Since reqwest uses schannel on Windows, that means it will make use of the certificate store of the operating system. See here for how to add a certificate to the OS trust store.

[seanmonstar]

Oh also, knowing what Windows version you're using would be very useful.

[ark-]

Thanks for the advice! I can try your suggestions on Monday when back in the office. I'm using Windows 7. by the way.

[ark-]

HTTP Tests

With proxy & with certificate: 🆗

With proxy & without certificate: 🆗

Without proxy & with cert:

Runs for a long time, finally giving
Error { repr: Os { code: 10060, message: "A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond." } }), url: Some("http://www.netinstructions.com/how-to-monitor-your-linux-machine/") }

Without proxy or cert

Runs for a long time, finally giving
Error { repr: Os { code: 10060, message: "A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond." } }), url: Some("http://www.netinstructions.com/how-to-monitor-your-linux-machine/") }