fix: fix https connections without explicitly passed certificates (#119)

* fix * attempt 2 * add comment * cleanup * make it more concise
DefGuard · Aug 30, 2024 · 08919d2 · 08919d2
1 parent f436b30
commit 08919d2
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 4 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -20,7 +20,7 @@ prost = "0.13"
 serde = { version = "1.0", features = ["derive"] }
 syslog = "7.0"
 thiserror = "1.0"
-tonic = { version = "0.12", features = ["gzip", "tls", "tls-roots"] }
+tonic = { version = "0.12", features = ["gzip", "tls", "tls-native-roots"] }
 tokio = { version = "1", features = ["macros", "rt-multi-thread"] }
 tokio-stream = { version = "0.1", features = [] }
 toml = { version = "0.8", default-features = false, features = ["parse"] }

diff --git a/src/gateway.rs b/src/gateway.rs
@@ -326,12 +326,14 @@ impl Gateway {
             .http2_keep_alive_interval(TEN_SECS)
             .tcp_keepalive(Some(TEN_SECS))
             .keep_alive_while_idle(true);
+        // if CA certificate is provided, use it (and only it)
+        // otherwise load certs from system
         let endpoint = if let Some(ca) = &self.config.grpc_ca {
             let ca = std::fs::read_to_string(ca)?;
             let tls = ClientTlsConfig::new().ca_certificate(Certificate::from_pem(ca));
             endpoint.tls_config(tls)?
         } else {
-            endpoint
+            endpoint.tls_config(ClientTlsConfig::new().with_native_roots())?
         };
         let channel = endpoint.connect_lazy();