-
-
Notifications
You must be signed in to change notification settings - Fork 52
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to upload artifact to Notary API when behind Corporate Proxy #84
Comments
For the first error, we use rustls for the TLS, using webpki as the trust root. I suppose we should change to use the native root trusts instead? Assuming the corporate proxy is one of those ass-backwards proxy that sets a catchall tls cert. |
@roblabla That would be ideal. I think many enterprise corporate proxies will run with some level of TLS interception. |
@austinsasko can you try the binaries from https://github.com/indygreg/apple-platform-rs/actions/runs/5869121441 ? |
That did resolve the certificate error. Thank you |
Although, unfortunately I now encounter a separate issue, an error with the S3 upload stage:
|
Right, s3 is going through smithy, which is using a different version of rustls, and so didn't accept native TLS certs. I updated smithy so its rustls version matches, and started a new build @ https://github.com/indygreg/apple-platform-rs/actions/runs/5872829057 . |
Made it past the command erroring out immediately -- it seems to be getting better and better with each build you provide, thank you.
|
Is this due to awslabs/aws-sdk-rust#169? |
Can you try running with |
I don't think so. This seems to be about support for explicit proxies (ergo proxies that you connect to using one of the many proxy protocols, like HTTP CONNECT, SOCKS5 or whatever). In your case, the proxying is supposedly done by a middlebox in your connection redirecting the traffic to the proxy - without any kind of configuration on your part. |
With
|
@roblabla Any idea with the above log? Thanks :) |
Well, the problem is in the S3 upload, but the logs aren't giving me enough information to figure out what's going on, unfortunately (smithy isn't being very verbose). However, if the proxy is somehow tampering with the request, there's a chance that the failure is coming from the signature failing to validate, in which case there isn't much we can do. |
The |
When attempting to upload an artifact to the notary API behind a corporate proxy, depending on the environment, one of following errors are encountered:
Error: HTTP error: error sending request for url (https://appstoreconnect.apple.com/notary/v2/submissions): error trying to connect: invalid peer certificate contents: invalid peer certificate: UnknownIssuer
Error: error sending request for url (https://appstoreconnect.apple.com/notary/v2/submissions): error trying to connect: unsuccessful tunnel
Is there a flag or override in which the API call can leverage provided proxies / provided CA chain?
Note: I am able to access that API via POST directly from cURL or Postman on the same machine
The text was updated successfully, but these errors were encountered: