1

My app requires the use of reqwest which throws the error

error sending request for url (https://testserver.com/data): error trying to connect: invalid certificate: CAUsedAsEndEntity

I have a self hosted test CA, self signed. My environment is Ubuntu 18.04, openssl 1.1.1.

How can I bypass this error or reconfigure my certificate so that this error doesn't repeat again?

My certificate:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ...
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = ...
        Validity
            Not Before: Oct 31 22:03:07 2021 GMT
            Not After : Oct 31 22:08:07 2121 GMT
        Subject: CN = ...
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    ....
                    e8:5d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier: 
                ...
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            Subject Information Access: 
                1.3.6.1.5.5.7.48.13 - URI:https://testserver.com/data

            X509v3 Certificate Policies: critical
                Policy: 1.3.6.1.5.5.7.14.2

            sbgp-ipAddrBlock: critical
                IPv4:
                  0.0.0.0/0
                IPv6:
                  ::/0

            sbgp-autonomousSysNum: critical
                Autonomous System Numbers:
                  0-4294967295

    Signature Algorithm: sha256WithRSAEncryption
Mnemosyne
  • 1,162
  • 4
  • 13
  • 45
  • A self-signed certificate is not considered a valid TLS certificate. You can use [danger_accept_invalid_certs()](https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html#method.danger_accept_invalid_certs) to disable certificate validation. – Sven Marnach Dec 01 '21 at 15:58
  • @SvenMarnach if you explicitly add the self signed cert to accepted cert rustls refuse it while EVERY OTHER implement accept it as it should be... https://github.com/lightningnetwork/lnd/issues/5450 https://github.com/rustls/rustls/issues/143 https://github.com/rustls/rustls/issues/772 https://github.com/lightningnetwork/lnd/pull/4209 https://github.com/lightningnetwork/lnd/issues/5450 https://github.com/briansmith/webpki/issues/114 – Stargateur Dec 01 '21 at 16:18
  • but anyway, why people would want a end to end crypted tunnel for ? this is really really really really really annoying that a perfectly valid use case of tls doesn't work in Rust. – Stargateur Dec 01 '21 at 16:19
  • @Stargateur I was under the impression that reqwest uses OpenSSL, not rustls. I also wouldn't say that using self-signed certs "doesn't work in Rust", just because is doesn't work in one of the libraries. – Sven Marnach Dec 01 '21 at 16:39
  • @SvenMarnach I'm open to all suggestion. – Stargateur Dec 01 '21 at 17:28
  • I just tried this on Ubuntu 20.04, and I couldn't reproduce the problem. I used the code `reqwest::blocking::get("https://self-signed.badssl.com/").unwrap()`, and it failed as expected. I then downloaded the self-signed cert from that domain and added it to my OS CA store, and then the code worked as expected. – Sven Marnach Dec 01 '21 at 19:55
  • 1
    A self-signed certificate used as an end-entity cert should have `CA:FALSE` in the "X509v3 Basic Constraints" extension. I guess this is what's causing your problem. – Sven Marnach Dec 02 '21 at 08:55

0 Answers0