Cargo registry with SSL certificate auth

I'd like to run a private Cargo registry on VPS, to make building of some my personal projects a bit easier (now I have to use path dependencies, and this is... well, not very good in some cases). This VPS already runs a web server with SSL certificate authentification, and I'd like to place Cargo registry behind this authentication, too. Is this possible?

It should definitely be possible! Even if the software you use to run the private cargo registry is HTTP-only, you can always run it behind a reverse-proxy like nginx which can add HTTPS / SSL.

As for what software to use for a private cargo registry, I don't know all the options, but I know https://github.com/mcorbin/meuse exists and is one. It also directly supports SSL.

The question is not how to run the registry - this is, in fact, not a big problem. I wasn't able to find out how to connect to this registry - i.e., how to instruct Cargo to use SSL certificate authentification.

Cargo's docs has a Using an Alternate Registry chapter explaining how to point it at a different registry. Just make sure the URL starts with https and all communication will be done over SSL.

Yes, but I can't see anything about supplying client certificates. Maybe I'm just blind - please point me at the specific part of documentation, if this is really the case.

Cargo will use your system's trusted certificates.

The exact mechanism will depend on your OS, but here's how to install certificates on Ubuntu:

You should only need to do this if you've made your own self-signed certificates, though. If you've used a trusted CA (e.g. LetsEncrypt) then whatever TLS layer Cargo uses for secure communication should walk the certificate chain and trust it automatically.

Probably I wasn't clear with my question, so I'll try to explain it again.

I already have an Nginx instance running on VPS. This Nginx is set up to use SSL for certain domain with both certificates: server certificate, signed by Let's Encrypt, and client certificate, signed by my own CA. When I access this domain with browser, I'm explicitly asked to provide client certificate from the list of registered certificates, otherwise Nginx will reject the query.
I'd like to run a Cargo registry on this server behind the same proxy, reusing the existing client authentication scheme. Is this possible with Cargo?

Hi,

as far as I understand your explanation the client certificate you are requested to choose is not used for the SSL handshake as such but for authentication to your endpoint, correct me if I’m wrong. So I assume it is using x.509 client certificate authentication.

While cargo uses for crates download just a ssl connection this kind of authentication is not required there. However, if you’d like to publish to your private registry you would need to run cargo login against this.
As far as I’m aware a custom cargo registry need to consist at least of a github repo that serves the crates index. Cargo uses the git authentication procedure to login to this repo when running cargo login I’d assume. So if your git login also supports x.509 client certificate authentication that this should work. You might need to check what git configuration is required to support this. The crates.io registry for instance uses git tokens to do the authentication, if I’m not mistaken.

No, cargo does not support client certificate authentication.

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.