How to add a CA certificate?

[Krahos]

Hello everyone, I'm trying to generate a presigned URL to upload a file on S3. My code works fine when i run it, but if i put it inside a container and load it on AWS lightsail container service it panics with this message: thread 'actix-server worker 0' panicked at 'no CA certificates found', /usr/local/cargo/registry/src/github.com-1ecc6299db9ec823/hyper-rustls-0.22.1/src/connector.rs:45:13
I based my code on the examples and it's the following:

#[derive(Serialize)]
pub struct UrlData {
    presigned_request_uri: String,
    file_uri: String,
}

#[allow(clippy::async_yields_async)]
#[tracing::instrument(name = "Getting a signed url for videos")]
pub async fn get_signed_video_url() -> HttpResponse {
    let bucket = "my-bucket-name";
    let content_type = "video/mp4";
    let object_key = format!("videos/{}.mp4", Uuid::new_v4());

    match get_s3_url(bucket, content_type, &object_key).await {
        Ok(url_data) => HttpResponse::Ok().json(url_data),
        Err(_) => HttpResponse::InternalServerError().finish(),
    }
}

[tracing::instrument(name = "Getting s3 signed url")]
pub async fn get_s3_url(
    bucket: &str,
    content_type: &str,
    folder: &str,
    object_key: &str,
) -> Result<UrlData, ()> {
    let config = aws_config::from_env().load().await;
    let client = Client::new(&config);

    let expires_in = Duration::from_secs(500);
    let presigned_config = match PresigningConfig::expires_in(expires_in) {
        Ok(c) => c,
        Err(e) => {
            tracing::error!("Failed to generate presigned config: {:?}", e);
            return Err(());
        }
    };

    let presigned_request = match client
        .put_object()
        .key(object_key)
        .content_type(content_type)
        .bucket(bucket)
        .presigned(presigned_config)
        .await
    {
        Ok(r) => r,
        Err(e) => {
            tracing::error!("Failed to generate presigned request: {:?}", e);
            return Err(());
        }
    };

    let uri = presigned_request.uri();

    // TODO: get these info from environment variables.
    let url_data = UrlData {
        presigned_request_uri: uri.to_string(),
        file_uri: format!(
            "https://{}.s3.eu-west-3.amazonaws.com/{}",
            &bucket, object_key
        ),
    };
    Ok(url_data)
}

I set in the environment variables section:

• AWS_ACCESS_KEY_ID
• AWS_REGION
• AWS_SECRET_ACCESS_KEY

What else do I need to solve the panic?

[TuhinNair]

Your container image needs to have the common CA certificates in order for you to make requests using TLS.

If using one of those thin base images you'll need something like this in your Dockerfile: (Assuming debian based image)
RUN apt-get install -y --no-install-recommends ca-certificates
RUN update-ca-certificates

[Krahos]

Thanks, that solved it, I thought they were already included in the image.

[markgoddard]

I'm also seeing this in a test environment. The minio object store is not using TLS.

[rcoh]

You should be able to set .endpoint_url to have an HTTP URL. You may need to provide your own: https://docs.rs/aws-config/latest/aws_config/struct.ConfigLoader.html#method.http_connector that does not enforce HTTPS.

[markgoddard]

Yes, it's working fine with HTTP without a custom connector, but it failed without the CA certs package being installed & certs updated.

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.