[cargo + cert] Dependency install fails on build server


#1

There is a series of projects I’m developing for work in Rust, but I’ve run into a bit of a complex problem.
(skip to the last paragraph if you want to skip the context)

The dependency chain looks like this: Customer Facing ProjectNPM modulexquery interpreterxquery parser.

Each of these projects has other dependencies, but this chain is the important part for this post.
The NPM module is based on neon, which provides Node.JS bindings for Rust code.
The interpreter and parser are written in Rust.

On the build server, when the slave is trying to builld the CFP, all goes well throughout the chain until neon needs to update its dependency on the interpreter, which is stored on a separate git server that uses a certificate.
For this updating, neon uses cargo, as indicated by these lines of the log:

neon info running cargo
neon info cargo build --release
    Updating git repository `https://[redacted]/sbr-xquery-interpreter-api`
error: failed to load source for a dependency on `sbr-xquery-interpreter-api`

It’s because neon uses cargo that I’m posting here rather than creating an issue on the neon github page, so all of the above is just for context.

My question is, given that cargo has an issue with actually pulling in the sbr-xquery-interpreter-api dependency, could it be that cargo has a problem with accessing the certificate? And if so, what can I do about it?


#2

Cargo uses libgit2, which doesn’t match up to the git binary’s normal behavior around authentication. In the case of ssh-based git, you need to have an ssh-agent server running with your keys loaded. I haven’t done certificate based auth before, but it’ll probably involve something similar.


#3

Hi, thanks for the response.

I don’t mean SSH public/private keys, what I mean is SSL certificates i.e. CRT/PEM files.
Specifically it tells me that it can’t go through the entire certificate chain (or words to that effect).
This should be nonsense since the very same certificate works on my development machine.
But it still gives me that error so clearly it’s not nonsense.


#4

From this issue, "libgit2 does not support client certificates at this moment"
https://github.com/libgit2/libgit2sharp/issues/1152#issuecomment-279966002

As a workaround, maybe neon or some other wrapper could mirror the repo locally with plain git first, then use that local path for cargo.


#5

Yeah I was afraid of that. Thank you for the information, at least I can do something with this.