Skip to content

Commit 6f5084f

Browse files
committed
fix(cli): use OS trust store for reqwest TLS verification
Switch reqwest from `rustls-tls` (bundled Mozilla webpki roots) to `rustls-tls-native-roots` (OS certificate store) so that the CLI trusts the same CAs as the rest of the system. This fixes OIDC discovery failures against Keycloak instances using certificates signed by internal CAs present in the system trust bundle.
1 parent 3b61c9c commit 6f5084f

3 files changed

Lines changed: 8 additions & 4 deletions

File tree

Cargo.lock

Lines changed: 1 addition & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Cargo.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -72,7 +72,7 @@ serde_yml = "0.0.12"
7272
apollo-parser = "0.8.5"
7373

7474
# HTTP client
75-
reqwest = { version = "0.12", default-features = false, features = ["json", "rustls-tls"] }
75+
reqwest = { version = "0.12", default-features = false, features = ["json", "rustls-tls-native-roots"] }
7676

7777
# WebSocket
7878
tokio-tungstenite = { version = "0.26", features = ["rustls-tls-native-roots"] }

crates/openshell-cli/src/tls.rs

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -406,9 +406,12 @@ pub async fn build_channel(server: &str, tls: &TlsOptions) -> Result<Channel> {
406406
.ca
407407
.as_ref()
408408
.and_then(|ca_path| std::fs::read(ca_path).ok())
409-
.map_or_else(ClientTlsConfig::new, |ca_pem| {
410-
ClientTlsConfig::new().ca_certificate(Certificate::from_pem(ca_pem))
411-
})
409+
.map_or_else(
410+
|| ClientTlsConfig::new().with_enabled_roots(),
411+
|ca_pem| {
412+
ClientTlsConfig::new().ca_certificate(Certificate::from_pem(ca_pem))
413+
},
414+
)
412415
},
413416
|materials| build_tonic_tls_config(&materials),
414417
)

0 commit comments

Comments
 (0)