When we try to use cargo pgrx init we got this error:
Error:
0: unable to retrieve https://www.postgresql.org/versions.rss
1: io: invalid peer certificate: UnknownIssuer
This comes from:
|
static VERSIONS_RSS_URL: &str = "https://www.postgresql.org/versions.rss"; |
|
|
|
let http_client = build_agent_for_url(VERSIONS_RSS_URL)?; |
|
let mut response = http_client |
which use the agent created by:
|
if let Some(proxy_url) = for_url_str(url).to_string() { |
|
let config = Agent::config_builder().proxy(Some(Proxy::new(&proxy_url)?)).build(); |
|
Ok(Agent::new_with_config(config)) |
|
} else { |
|
Ok(Agent::new_with_defaults()) |
|
} |
This app use ureq library which is clear about the root certificate : the default is to use the mozilla static certificate and it is not possible to add one. https://docs.rs/ureq/latest/ureq/#root-certificates.
You end up with an issue with companies that use kind of corporate proxy (transparent or not) that may inspect the content
In such situation, you have an internal certificate you have to trust (well it is usually setup on OS trusted cert so you don't really care about ). But here ... really really really painful...
When you check the webpki root crate documentation ( https://docs.rs/webpki-roots/0.26.8/webpki_roots/ ) it is assumed it can be hard to use on some situation, and you should check another solution to use system truststore.
as ureq can do that https://docs.rs/ureq/latest/ureq/#platform-verifier perhaps the agent should use this.
When we try to use
cargo pgrx initwe got this error:This comes from:
pgrx/cargo-pgrx/src/command/version.rs
Lines 47 to 50 in b1868d8
which use the agent created by:
pgrx/cargo-pgrx/src/command/mod.rs
Lines 35 to 40 in b1868d8
This app use ureq library which is clear about the root certificate : the default is to use the mozilla static certificate and it is not possible to add one. https://docs.rs/ureq/latest/ureq/#root-certificates.
You end up with an issue with companies that use kind of corporate proxy (transparent or not) that may inspect the content
In such situation, you have an internal certificate you have to trust (well it is usually setup on OS trusted cert so you don't really care about ). But here ... really really really painful...
When you check the webpki root crate documentation ( https://docs.rs/webpki-roots/0.26.8/webpki_roots/ ) it is assumed it can be hard to use on some situation, and you should check another solution to use system truststore.
as ureq can do that https://docs.rs/ureq/latest/ureq/#platform-verifier perhaps the agent should use this.