From 25bb59d2ce83b03356a86013bb80107d29737b52 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bartek=20Iwa=C5=84czuk?= Date: Tue, 13 Aug 2024 17:12:45 +0100 Subject: [PATCH] fix(tls): print a warning if a system certificate can't be loaded (#25023) This commit changes how system certificates are loaded on startup. Instead of hard erroring if a certificate can't be decoded, we are now printing a warning and bumping a hex representation of the certificate and continue execution. Ref https://github.com/denoland/deno/issues/24137 --- cli/args/mod.rs | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/cli/args/mod.rs b/cli/args/mod.rs index afad0528c3..0f6f050efe 100644 --- a/cli/args/mod.rs +++ b/cli/args/mod.rs @@ -640,8 +640,6 @@ pub enum RootCertStoreLoadError { UnknownStore(String), #[error("Unable to add pem file to certificate store: {0}")] FailedAddPemFile(String), - #[error("Unable to add system certificate to certificate store: {0}")] - FailedAddSystemCert(String), #[error("Failed opening CA file: {0}")] CaFileOpenError(String), } @@ -675,11 +673,19 @@ pub fn get_root_cert_store( "system" => { let roots = load_native_certs().expect("could not load platform certs"); for root in roots { - root_cert_store - .add(rustls::pki_types::CertificateDer::from(root.0)) - .map_err(|e| { - RootCertStoreLoadError::FailedAddSystemCert(e.to_string()) - })?; + if let Err(err) = root_cert_store + .add(rustls::pki_types::CertificateDer::from(root.0.clone())) + { + log::error!( + "{}", + colors::yellow(&format!( + "Unable to add system certificate to certificate store: {:?}", + err + )) + ); + let hex_encoded_root = faster_hex::hex_string(&root.0); + log::error!("{}", colors::gray(&hex_encoded_root)); + } } } _ => {