Using rustup behind a corporate firewall

Hi, I work at a company that proxies all traffic through a firewall that terminates all the TLS connections and responds with company's internal CA.
I have installed that CA (certificate authority) cert system wide (Ubuntu), and most of applications recognize it.
rustup however complains about certificate validation errors (see example of error messages below).

The question is, how do I configure rustup to trust my system's CAs? Or is there another way to specify trusted CAs?

rustup update
info: syncing channel updates for 'beta-x86_64-unknown-linux-gnu'
error: could not download file from 'https://static.rust-lang.org/dist/channel-rust-beta.toml.sha256' to '/home/petr/.rustup/tmp/2b1b6etlpaskvqlf_file'
info: checking for self-updates
error: could not download file from 'https://static.rust-lang.org/rustup/release-stable.toml' to '/tmp/rustup-updatezyzM7g/release-stable.toml'
error: caused by: failed to make network request
error: caused by: https://static.rust-lang.org/rustup/release-stable.toml: error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1915: (unable to get issuer certificate)
error: caused by: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1915: (unable to get issuer certificate)

(existing versions of tool-chains were installed earlier when direct connection was available).

1 Like

Hmm, that's interesting. I'm in the same situation with my firewall and I can get Rustup to work for me.

How did you trust your certificate system-wide? I copy my proxy cert to /usr/local/share/ca-certificates/proxyca.pem and then run update-ca-certificates.

Yes, I did exactly that.
OK, maybe I have to double-check the certificate then.

It is possible in principle that the company you work for has their own self-signed certs in order to snoop on the incoming and outgoing traffic (effectively a MITM attack on their own employees). If this is the case, I think your best option is to tunnel through with a reverse proxy, in effect creating a VPN to the outside world.

In my case it is what is happening (no maybes :slight_smile:). I can of course come up with some creative and subversive ways to avoid that, but I hope there's a way to play by the rules. Just imagine how I would have to explain the installation procedure to fellow engineers at the company when they would want to work on the code...

2 Likes

Oh, wait, I put the cert in /usr/local/share/ca-certificates/proxyca.crt, not .pem. I think that does make a difference, but if the rest of the programs on your system are fine, then that's probably not the issue. :thinking:

Maybe you could try re-downloading rustup? There has to be a way to make it work, because I've got it working. I don't think I did anything weird to get it working, other than manually downloading the shell script to start it maybe, instead of using the curl bash thing. But you've already gotten it installed, so that doesn't seem right.

I know, right. :slight_smile:

The other option is to get the overly restrictive policies relaxed.
But good look with that, because the middle management in charge of those policies won't get credit for relaxation of those policies, while they will be responsible if something bad happens as a result of the relaxation. Long story short: the incentives are such that you're unlikely to get the policy changed. Which leaves the brute force, technological option.

In theory - yes. But it is a relatively big company so 5 months to get this done would be an optimistic estimation, I am too impatient for that...

1 Like

Not really a direct solution to your problem, rather yet another workaround, but less subversive this time: https://forge.rust-lang.org/infra/other-installation-methods.html#standalone

2 Likes

Yes, I learned that .crt thing the hard way :slight_smile:

1 Like

It turns out that I was using wrong certificate as CA (it was actually one from the chain but not the self-signed root).

2 Likes

Yay! :tada: Glad you got it working.

I know how difficult it can be to get some programs working behind proxies and it's always a big deal when it finally works. :slight_smile: