Last active
December 25, 2019 08:49
-
-
Save davidB/bed8ea360f859a23889d9c9cc4eefb85 to your computer and use it in GitHub Desktop.
GKE access failed via reqwest
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[package] | |
name = "test_gke_cert" | |
version = "0.1.0" | |
authors = ["David Bernard"] | |
edition = "2018" | |
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html | |
[dependencies] | |
openssl = { version = "^0.10", features = ["vendored"] } | |
tokio = { version = "^0.2.5", features = ["full"]} | |
# curl = "0.4.25" # ok | |
# curl = {version = "0.4.25", features = ["static-ssl"] } # ok | |
curl = {version = "0.4.25", features = ["mesalink"] } # ok | |
# curl = {version = "0.4.25", features = ["static-curl"] } # failed | |
# curl = {version = "0.4.25", features = ["static-curl", "mesalink"] } # failed | |
# curl = {version = "0.4.25", features = ["static-curl", "static-ssl"] } # failed | |
[dependencies.reqwest] | |
#version = "0.10.0" | |
# version = " 0.10.0-alpha.2" | |
git = "https://github.com/seanmonstar/reqwest" | |
rev = "18fd9a63b0eb7bf51d2e2b7fe31b4567f0b05779" | |
features = ["json", "gzip", "rustls-tls"] | |
# features = ["rustls-tls"] | |
# # TODO: rustls |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Mac OSX (Catalina 10.15.2): | |
// ``` | |
// --- with curl --- | |
// {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"forbidden: User \"system:anonymous\" cannot get path \"/\"","reason":"Forbidden","details":{},"code":403} | |
// [src/main.rs:51] main_with_curl().await = Ok( | |
// (), | |
// ) | |
// --- with reqwest --- | |
// [src/main.rs:53] main_with_reqwest().await = Err( | |
// reqwest::Error { | |
// kind: Request, | |
// url: "https://35.232.6.83/", | |
// source: hyper::Error( | |
// Connect, | |
// Error { | |
// code: -67843, | |
// message: "The certificate was not trusted.", | |
// }, | |
// ), | |
// }, | |
// ) | |
// ``` | |
// | |
// Linux: | |
// ``` | |
// Response { | |
// url: "https://35.232.6.83/", | |
// status: 403, | |
// headers: { | |
// "audit-id": "83ac14e8-8beb-4456-b495-35c81ba9b348", | |
// "content-type": "application/json", | |
// "x-content-type-options": "nosniff", | |
// "date": "Sat, 21 Dec 2019 18:21:52 GMT", | |
// "content-length": "185", | |
// }, | |
// } | |
///``` | |
/// | |
const SERVERAPI_URL: &str = "https://35.232.6.83"; | |
const CACERT_PEM: &str = r#" | |
-----BEGIN CERTIFICATE----- | |
MIIDDDCCAfSgAwIBAgIRANMRvVXXaTbXyxpbqXtlgyEwDQYJKoZIhvcNAQELBQAw | |
LzEtMCsGA1UEAxMkMzg1NTM1MzEtOTgwNS00NzcwLTllMzItMmY1MmM1NDU3NWY4 | |
MB4XDTE5MTIxOTA3NTM1OVoXDTI0MTIxNzA4NTM1OVowLzEtMCsGA1UEAxMkMzg1 | |
NTM1MzEtOTgwNS00NzcwLTllMzItMmY1MmM1NDU3NWY4MIIBIjANBgkqhkiG9w0B | |
AQEFAAOCAQ8AMIIBCgKCAQEAmX8Eg6r6tygSiIM3nMS4VwnYoXrrIuixlCGqsI4L | |
sw5j9oTslbNvsOjfFnRGyMK6wPm7x/htMC5B44Jyh2BedZbfcp7WXZJr7Dq/9SgR | |
/TPZmb1GwqVvqfE4RmzwK6wcaMSEkF/mqc9+IWiEpmMRmkdsvj2/8fydQM2+Wj8y | |
qSzaIgMopsaNuA4EWIKABeQH8vzIMjiEsvSpGDRRF14G6OMeCUypa780HCUwNKkc | |
BaAUc1VzAcQYTNzx78Y4IZCJjkwtBfKYWUibIWWeJaDAzNEbYGeBNtc6/kbvUuCL | |
VmibQ5+Qo6kgjchElRECZU4dhz8FKOMWh3YFyNpE7hZqrwIDAQABoyMwITAOBgNV | |
HQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEA | |
b0qhFcv4LriftJrB5RX0XHjEjGiEirv4Xq9rUgGOTYGnrtKtqu7DPIoZagYgByTX | |
VnpqGJczQ/ZGZyAeE502uH6np6ftmQi98NFNe5W7btv/U4ZHN8VzQ2+77uBw/orY | |
YuVKNMMcc+CfO8pX2rv8Z4YUUvBz3/YO9h5K1IBjXuLCI+PM6+2OMFfaoSI0Iz8q | |
sazWeeT8orW1/LdJMokCkGqgPZC8X15j2/E6YlzPeebAQK/QgpMYg9XoHWJcuhSx | |
RgGI71iQAaYoBYSxSgV2cteECEiJlMoInkU0HCX7JlZlR/ypZl+ybPFVQigsAfpu | |
o098cHJLzIFII9icY8n1dQ== | |
-----END CERTIFICATE----- | |
"#; | |
#[tokio::main] | |
async fn main() { | |
println!("--- with curl ---"); | |
dbg!(main_with_curl().await); | |
println!("--- with reqwest ---"); | |
dbg!(main_with_reqwest().await); | |
} | |
async fn main_with_reqwest() -> Result<(), Box<dyn std::error::Error>> { | |
use openssl::x509::X509; | |
// use reqwest; | |
let ca = X509::from_pem(CACERT_PEM.as_bytes())?; | |
let cert = reqwest::Certificate::from_der(&ca.to_der()?)?; | |
// dbg!(&ca.subject_name()); | |
// dbg!(&ca.subject_name()); | |
// dbg!(&cert); | |
let mut client_builder = reqwest::Client::builder(); | |
client_builder = client_builder | |
.add_root_certificate(cert) | |
// .danger_accept_invalid_certs(true) | |
; | |
let client = client_builder.build()?; | |
let resp = client.get(SERVERAPI_URL).send().await?; | |
println!("{:#?}", resp); | |
Ok(()) | |
} | |
// curl -i -v https://35.232.6.83 --cacert ./cert3.x509.crt | |
async fn main_with_curl() -> Result<(), Box<dyn std::error::Error>> { | |
use curl::easy::Easy; | |
use std::io::{stdout, Write}; | |
// Write the contents of rust-lang.org to stdout | |
let mut easy = Easy::new(); | |
let cacert = std::path::Path::new("ca.x509.crt"); | |
std::fs::write(cacert, CACERT_PEM)?; | |
easy.cainfo(cacert)?; | |
easy.url(SERVERAPI_URL)?; | |
easy.write_function(|data| { | |
stdout().write_all(data).unwrap(); | |
Ok(data.len()) | |
})?; | |
easy.perform()?; | |
Ok(()) | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cat >ca.x509.crt <<EOF | |
-----BEGIN CERTIFICATE----- | |
MIIDDDCCAfSgAwIBAgIRANMRvVXXaTbXyxpbqXtlgyEwDQYJKoZIhvcNAQELBQAw | |
LzEtMCsGA1UEAxMkMzg1NTM1MzEtOTgwNS00NzcwLTllMzItMmY1MmM1NDU3NWY4 | |
MB4XDTE5MTIxOTA3NTM1OVoXDTI0MTIxNzA4NTM1OVowLzEtMCsGA1UEAxMkMzg1 | |
NTM1MzEtOTgwNS00NzcwLTllMzItMmY1MmM1NDU3NWY4MIIBIjANBgkqhkiG9w0B | |
AQEFAAOCAQ8AMIIBCgKCAQEAmX8Eg6r6tygSiIM3nMS4VwnYoXrrIuixlCGqsI4L | |
sw5j9oTslbNvsOjfFnRGyMK6wPm7x/htMC5B44Jyh2BedZbfcp7WXZJr7Dq/9SgR | |
/TPZmb1GwqVvqfE4RmzwK6wcaMSEkF/mqc9+IWiEpmMRmkdsvj2/8fydQM2+Wj8y | |
qSzaIgMopsaNuA4EWIKABeQH8vzIMjiEsvSpGDRRF14G6OMeCUypa780HCUwNKkc | |
BaAUc1VzAcQYTNzx78Y4IZCJjkwtBfKYWUibIWWeJaDAzNEbYGeBNtc6/kbvUuCL | |
VmibQ5+Qo6kgjchElRECZU4dhz8FKOMWh3YFyNpE7hZqrwIDAQABoyMwITAOBgNV | |
HQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEA | |
b0qhFcv4LriftJrB5RX0XHjEjGiEirv4Xq9rUgGOTYGnrtKtqu7DPIoZagYgByTX | |
VnpqGJczQ/ZGZyAeE502uH6np6ftmQi98NFNe5W7btv/U4ZHN8VzQ2+77uBw/orY | |
YuVKNMMcc+CfO8pX2rv8Z4YUUvBz3/YO9h5K1IBjXuLCI+PM6+2OMFfaoSI0Iz8q | |
sazWeeT8orW1/LdJMokCkGqgPZC8X15j2/E6YlzPeebAQK/QgpMYg9XoHWJcuhSx | |
RgGI71iQAaYoBYSxSgV2cteECEiJlMoInkU0HCX7JlZlR/ypZl+ybPFVQigsAfpu | |
o098cHJLzIFII9icY8n1dQ== | |
-----END CERTIFICATE----- | |
EOF | |
openssl x509 -in ca.x509.crt -noout -text | |
curl -i -v https://35.232.6.83 --cacert ./ca.x509.crt |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment