Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Corporate Proxy results in BadCertificate Alert #20668

Closed
twihno opened this issue Dec 13, 2022 · 5 comments
Closed

Corporate Proxy results in BadCertificate Alert #20668

twihno opened this issue Dec 13, 2022 · 5 comments
Labels
bug Something isn't working correctly needs triage

Comments

@twihno
Copy link

twihno commented Dec 13, 2022
edited
Loading

Describe the bug

A corporate proxy with its own HTTPS certificate results in the error/alert
Sending fatal alert BadCertificate
in the command line. The proxy cert is signed by the corporate CA with the root certificate imported into the OS cert store.

(Somewhat related to #11491)

Steps to Reproduce

start.sh

#!/bin/bash

export DENO_TLS_CA_STORE=system,mozilla

deno run -Ldebug \
  --allow-env \
  --allow-net \
  ./test.ts

test.ts

import { serve } from "https://deno.land/[email protected]/http/server.ts";

function handler(req: Request): Response {
  return new Response("Hello, World!");
}

serve(handler);

Output

$ ./start.sh 
DEBUG RS - deno::js:31 - Deno isolate init with snapshots.
DEBUG JS - args []
DEBUG RS - deno::worker:64 - main_module file:///<path>/test.ts
DEBUG RS - deno::proc_state:294 - Preparing module load.
DEBUG RS - deno::cache::parsed_source:146 - Loading cached module analyzer.
DEBUG RS - deno::proc_state:378 - Creating module graph.
DEBUG RS - deno::file_fetcher:538 - FileFetcher::fetch() - specifier: file://<path>/test.ts
DEBUG RS - deno_runtime::permissions:52 - ⚠️️  Granted read access to "<path>/test.ts"
DEBUG RS - deno::file_fetcher:538 - FileFetcher::fetch() - specifier: https://deno.land/[email protected]/http/server.ts
DEBUG RS - deno_runtime::permissions:52 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:404 - FileFetcher::fetch_remote() - specifier: https://deno.land/[email protected]/http/server.ts
DEBUG RS - deno_runtime::permissions:52 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:250 - FileFetcher::fetch_cached - specifier: https://deno.land/[email protected]/http/server.ts
DEBUG RS - deno::file_fetcher:538 - FileFetcher::fetch() - specifier: https://deno.land/[email protected]/async/mod.ts
DEBUG RS - deno_runtime::permissions:52 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:404 - FileFetcher::fetch_remote() - specifier: https://deno.land/[email protected]/async/mod.ts
DEBUG RS - deno_runtime::permissions:52 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:250 - FileFetcher::fetch_cached - specifier: https://deno.land/[email protected]/async/mod.ts
DEBUG RS - deno::file_fetcher:538 - FileFetcher::fetch() - specifier: https://deno.land/[email protected]/async/abortable.ts
DEBUG RS - deno_runtime::permissions:52 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:404 - FileFetcher::fetch_remote() - specifier: https://deno.land/[email protected]/async/abortable.ts
DEBUG RS - deno_runtime::permissions:52 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:250 - FileFetcher::fetch_cached - specifier: https://deno.land/[email protected]/async/abortable.ts
DEBUG RS - deno::file_fetcher:538 - FileFetcher::fetch() - specifier: https://deno.land/[email protected]/async/deadline.ts
DEBUG RS - deno_runtime::permissions:52 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:404 - FileFetcher::fetch_remote() - specifier: https://deno.land/[email protected]/async/deadline.ts
DEBUG RS - deno_runtime::permissions:52 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:250 - FileFetcher::fetch_cached - specifier: https://deno.land/[email protected]/async/deadline.ts
DEBUG RS - deno::file_fetcher:538 - FileFetcher::fetch() - specifier: https://deno.land/[email protected]/async/debounce.ts
DEBUG RS - deno_runtime::permissions:52 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:404 - FileFetcher::fetch_remote() - specifier: https://deno.land/[email protected]/async/debounce.ts
DEBUG RS - deno_runtime::permissions:52 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:250 - FileFetcher::fetch_cached - specifier: https://deno.land/[email protected]/async/debounce.ts
DEBUG RS - deno::file_fetcher:538 - FileFetcher::fetch() - specifier: https://deno.land/[email protected]/async/deferred.ts
DEBUG RS - deno_runtime::permissions:52 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:404 - FileFetcher::fetch_remote() - specifier: https://deno.land/[email protected]/async/deferred.ts
DEBUG RS - deno_runtime::permissions:52 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:250 - FileFetcher::fetch_cached - specifier: https://deno.land/[email protected]/async/deferred.ts
DEBUG RS - deno::file_fetcher:538 - FileFetcher::fetch() - specifier: https://deno.land/[email protected]/async/delay.ts
DEBUG RS - deno_runtime::permissions:52 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:404 - FileFetcher::fetch_remote() - specifier: https://deno.land/[email protected]/async/delay.ts
DEBUG RS - deno_runtime::permissions:52 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:250 - FileFetcher::fetch_cached - specifier: https://deno.land/[email protected]/async/delay.ts
DEBUG RS - deno::file_fetcher:538 - FileFetcher::fetch() - specifier: https://deno.land/[email protected]/async/mux_async_iterator.ts
DEBUG RS - deno_runtime::permissions:52 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:404 - FileFetcher::fetch_remote() - specifier: https://deno.land/[email protected]/async/mux_async_iterator.ts
DEBUG RS - deno_runtime::permissions:52 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:250 - FileFetcher::fetch_cached - specifier: https://deno.land/[email protected]/async/mux_async_iterator.ts
DEBUG RS - deno::file_fetcher:538 - FileFetcher::fetch() - specifier: https://deno.land/[email protected]/async/pool.ts
DEBUG RS - deno_runtime::permissions:52 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:404 - FileFetcher::fetch_remote() - specifier: https://deno.land/[email protected]/async/pool.ts
DEBUG RS - deno_runtime::permissions:52 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:250 - FileFetcher::fetch_cached - specifier: https://deno.land/[email protected]/async/pool.ts
DEBUG RS - deno::file_fetcher:538 - FileFetcher::fetch() - specifier: https://deno.land/[email protected]/async/retry.ts
DEBUG RS - deno_runtime::permissions:52 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:404 - FileFetcher::fetch_remote() - specifier: https://deno.land/[email protected]/async/retry.ts
DEBUG RS - deno_runtime::permissions:52 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:250 - FileFetcher::fetch_cached - specifier: https://deno.land/[email protected]/async/retry.ts
DEBUG RS - deno::file_fetcher:538 - FileFetcher::fetch() - specifier: https://deno.land/[email protected]/async/tee.ts
DEBUG RS - deno_runtime::permissions:52 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:404 - FileFetcher::fetch_remote() - specifier: https://deno.land/[email protected]/async/tee.ts
DEBUG RS - deno_runtime::permissions:52 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:250 - FileFetcher::fetch_cached - specifier: https://deno.land/[email protected]/async/tee.ts
DEBUG RS - deno::proc_state:470 - Prepared module load.
DEBUG RS - deno_runtime::permissions:52 - ⚠️️  Granted net access to "0.0.0.0:8000"
Listening on http://localhost:8000/
DEBUG RS - deno_runtime::worker:320 - received module evaluate Ok(
    Ok(
        (),
    ),
)
DEBUG RS - reqwest::connect:560 - starting new connection: https://dl.deno.land/
DEBUG RS - rustls::client::hs:56 - No cached session for DnsName(DnsName(DnsName("dl.deno.land")))
DEBUG RS - rustls::client::hs:128 - Not resuming any session
DEBUG RS - rustls::client::hs:453 - ALPN protocol is None
DEBUG RS - rustls::client::hs:584 - Using ciphersuite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
DEBUG RS - rustls::client::tls12::server_hello:82 - Server supports tickets
DEBUG RS - rustls::client::tls12:418 - ECDHE curve is ECParameters { curve_type: NamedCurve, named_group: X25519 }
DEBUG RS - rustls::client::tls12:709 - Server DNS name is DnsName(DnsName(DnsName("dl.deno.land")))
Sending fatal alert BadCertificate

Expected behavior

No error message

Additional Question
Why does Deno try to connect to https://dl.deno.land?

Environment

  • OS: Ubuntu 22.04.1 WSL
  • deno version: 1.28.3
  • std version: 0.167.0
@twihno twihno added bug Something isn't working correctly needs triage labels Dec 13, 2022
@lino-levan lino-levan mentioned this issue Aug 14, 2023
Closed
16 tasks
@lino-levan
Copy link
Contributor

lino-levan commented Sep 25, 2023
edited
Loading

@kt3k do you think this one is still valid? My feeling is that it's probably stale.

@kt3k kt3k transferred this issue from denoland/std Sep 25, 2023
@kt3k
Copy link
Member

kt3k commented Sep 25, 2023

I think this is a Deno CLI issue and still valid.

Why does Deno try to connect to https://dl.deno.land/?

The upgrade checker checks https://dl.deno.land/release-latest.txt to see if there's a new release

deno/cli/tools/upgrade.rs

Line 451 in bb4b00d

.download_text("https://dl.deno.land/release-latest.txt")

@lino-levan
Copy link
Contributor

Thanks for the clarification.

@iuioiua iuioiua mentioned this issue Nov 15, 2023
Closed
@iuioiua
Copy link
Contributor

iuioiua commented Nov 17, 2023
edited
Loading

@twihno, does this issue still happen when you use Deno.serve()?

@twihno
Copy link
Author

twihno commented Jan 15, 2024

Sorry for the late reply.
It seems to be resolved.
I don't get the error anymore and Deno behaves as expected (with the system cerstore env-variable set).

The log of the example with the current deno and std version (note: I just copied the example from this issue and removed the explicit std version to get the current one because I was too lazy to look up the correct version. Therefore there is a warning for the implicit std version):

DEBUG RS - deno::args::package_json:151 - No package.json file found
DEBUG RS - deno::cache::cache_db:130 - Opening cache /home/schuthom/.cache/deno/dep_analysis_cache_v1...
DEBUG RS - deno::cache::cache_db:130 - Opening cache /home/schuthom/.cache/deno/node_analysis_cache_v1...
DEBUG RS - deno::js:11 - Deno isolate init with snapshots.
DEBUG RS - deno::worker:156 - main_module file:///home/schuthom/teest/test.ts
DEBUG RS - deno::module_loader:124 - Preparing module load.
DEBUG RS - deno::module_loader:145 - Creating module graph.
DEBUG RS - deno::file_fetcher:550 - FileFetcher::fetch() - specifier: file:///home/schuthom/teest/test.ts
DEBUG RS - deno_runtime::permissions:86 - ⚠️️  Granted read access to "/home/schuthom/teest/test.ts"
DEBUG RS - deno::file_fetcher:550 - FileFetcher::fetch() - specifier: https://deno.land/std/http/server.ts
DEBUG RS - deno_runtime::permissions:86 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:344 - FileFetcher::fetch_remote() - specifier: https://deno.land/std/http/server.ts
DEBUG RS - deno_runtime::permissions:86 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:254 - FileFetcher::fetch_cached - specifier: https://deno.land/std/http/server.ts
DEBUG RS - reqwest::connect:429 - starting new connection: https://deno.land/
DEBUG RS - reqwest::async_impl::client:2396 - redirect policy disallowed redirection to 'https://deno.land/[email protected]/http/server.ts'
Warning Implicitly using latest version (0.212.0) for https://deno.land/std/http/server.ts
DEBUG RS - deno::http_util:59 - Redirecting to "/[email protected]/http/server.ts"...
DEBUG RS - deno::file_fetcher:344 - FileFetcher::fetch_remote() - specifier: https://deno.land/[email protected]/http/server.ts
DEBUG RS - deno_runtime::permissions:86 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:254 - FileFetcher::fetch_cached - specifier: https://deno.land/[email protected]/http/server.ts
DEBUG RS - deno::file_fetcher:550 - FileFetcher::fetch() - specifier: https://deno.land/[email protected]/async/delay.ts
DEBUG RS - deno_runtime::permissions:86 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:344 - FileFetcher::fetch_remote() - specifier: https://deno.land/[email protected]/async/delay.ts
DEBUG RS - deno_runtime::permissions:86 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:254 - FileFetcher::fetch_cached - specifier: https://deno.land/[email protected]/async/delay.ts
DEBUG RS - deno::npm::managed::resolution:314 - Snapshot already up to date. Skipping pending resolution.
DEBUG RS - deno::module_loader:217 - Prepared module load.
DEBUG RS - deno_runtime::permissions:86 - ⚠️️  Granted net access to "0.0.0.0:8000"
Listening on http://localhost:8000/
DEBUG RS - deno_runtime::worker:587 - received module evaluate Ok(
    (),
)

@twihno twihno closed this as completed Jan 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working correctly needs triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@kt3k @lino-levan @iuioiua @twihno