Reproduction
On Linux:
export SSL_CERT_DIR=:/etc/ssl/certs
Then use any crate that eventually calls rustls_native_certs::load_native_certs(), for example via rustls-platform-verifier:
(e.g. using https://bitwarden.com/help/secrets-manager-cli/)
This logs:
[WARN rustls_platform_verifier::verification::others]
Error loading CA root certificate:
opening directory: No such file or directory (os error 2) at ''
Root cause
SSL_CERT_DIR is parsed using env::split_paths():
dirs: match env::var_os(ENV_CERT_DIR) {
Some(dirs) => env::split_paths(&dirs).collect(),
None => Vec::new(),
},A leading/trailing separator (e.g. :/etc/ssl/certs) produces an empty path component, which becomes PathBuf("").
Later:
returns ENOENT and emits the warning.
Expected behavior
Empty path entries in SSL_CERT_DIR should probably be ignored silently, similar to how many PATH-like environment variable parsers behave.
Possible fix:
dirs: match env::var_os(ENV_CERT_DIR) {
Some(dirs) => env::split_paths(&dirs)
.filter(|p| !p.as_os_str().is_empty())
.collect(),
None => Vec::new(),
},Notes
This is mostly harmless because valid directories still load correctly, but it creates noisy warnings in downstream consumers like rustls-platform-verifier.
Reproduction
On Linux:
export SSL_CERT_DIR=:/etc/ssl/certsThen use any crate that eventually calls
rustls_native_certs::load_native_certs(), for example viarustls-platform-verifier:(e.g. using https://bitwarden.com/help/secrets-manager-cli/)
This logs:
Root cause
SSL_CERT_DIRis parsed usingenv::split_paths():A leading/trailing separator (e.g.
:/etc/ssl/certs) produces an empty path component, which becomesPathBuf("").Later:
returns ENOENT and emits the warning.
Expected behavior
Empty path entries in
SSL_CERT_DIRshould probably be ignored silently, similar to how many PATH-like environment variable parsers behave.Possible fix:
Notes
This is mostly harmless because valid directories still load correctly, but it creates noisy warnings in downstream consumers like
rustls-platform-verifier.