default_http_client called even if http_client is provided

[utterstep]

Describe the bug

I'm using aws-sdk-s3 with custom http_client, to use webpki_roots instead of system CA certificates, creating config this way:

async fn aws_sdk_config() -> SdkConfig {
    // Rustls connector.
    let rustls_connector = hyper_rustls::HttpsConnectorBuilder::new()
        .with_webpki_roots()
        .https_only()
        .enable_http1()
        .enable_http2()
        .build();

    // Hyper client builder.
    let http_client = HyperClientBuilder::new().build(rustls_connector);

    aws_config::from_env()
        .http_client(http_client)
        .region(EnvironmentVariableRegionProvider::new())
        .credentials_provider(EnvironmentVariableCredentialsProvider::new())
        .load()
        .await
}

let aws_shared_config = aws_sdk_config().await;
let s3_client = S3Client::new(&aws_shared_config);

However, when I then create aws_sdk_s3::Client from config:

let aws_shared_config = aws_sdk_config().await;
let s3_client = S3Client::new(&aws_shared_config);

I get the following error in my production environment:

**Backtrace**

2023-11-21T16:32:57Z app[7811e9dc997028] fra [info]thread 'main' panicked at /usr/local/cargo/registry/src/index.crates.io-6f17d22bba15001f/hyper-rustls-0.24.2/src/config.rs:48:9:
2023-11-21T16:32:57Z app[7811e9dc997028] fra [info]no CA certificates found
2023-11-21T16:32:57Z app[7811e9dc997028] fra [info]stack backtrace:
2023-11-21T16:32:57Z app[7811e9dc997028] fra [info]   0:     0x56340ffe725c - std::backtrace_rs::backtrace::libunwind::trace::he43a6a3949163f8c
2023-11-21T16:32:57Z app[7811e9dc997028] fra [info]                               at /rustc/cc66ad468955717ab92600c770da8c1601a4ff33/library/std/src/../../backtrace/src/backtrace/libunwind.rs:93:5
2023-11-21T16:32:57Z app[7811e9dc997028] fra [info]   1:     0x56340ffe725c - std::backtrace_rs::backtrace::trace_unsynchronized::h50db52ca99f692e7
2023-11-21T16:32:57Z app[7811e9dc997028] fra [info]                               at /rustc/cc66ad468955717ab92600c770da8c1601a4ff33/library/std/src/../../backtrace/src/backtrace/mod.rs:66:5
2023-11-21T16:32:57Z app[7811e9dc997028] fra [info]   2:     0x56340ffe725c - std::sys_common::backtrace::_print_fmt::hd37d595f2ceb2d3c
2023-11-21T16:32:57Z app[7811e9dc997028] fra [info]                               at /rustc/cc66ad468955717ab92600c770da8c1601a4ff33/library/std/src/sys_common/backtrace.rs:67:5
2023-11-21T16:32:57Z app[7811e9dc997028] fra [info]   3:     0x56340ffe725c - <std::sys_common::backtrace::_print::DisplayBacktrace as core::fmt::Display>::fmt::h678bbcf9da6d7d75
2023-11-21T16:32:57Z app[7811e9dc997028] fra [info]                               at /rustc/cc66ad468955717ab92600c770da8c1601a4ff33/library/std/src/sys_common/backtrace.rs:44:22
2023-11-21T16:32:57Z app[7811e9dc997028] fra [info]   4:     0x56341001651c - core::fmt::rt::Argument::fmt::h3a159adc080a6fc9
2023-11-21T16:32:57Z app[7811e9dc997028] fra [info]                               at /rustc/cc66ad468955717ab92600c770da8c1601a4ff33/library/core/src/fmt/rt.rs:138:9
2023-11-21T16:32:57Z app[7811e9dc997028] fra [info]   5:     0x56341001651c - core::fmt::write::hb8eaf5a8e45a738e
2023-11-21T16:32:57Z app[7811e9dc997028] fra [info]                               at /rustc/cc66ad468955717ab92600c770da8c1601a4ff33/library/core/src/fmt/mod.rs:1094:21
2023-11-21T16:32:57Z app[7811e9dc997028] fra [info]   6:     0x56340ffe39ee - std::io::Write::write_fmt::h9663fe36b2ee08f9
2023-11-21T16:32:57Z app[7811e9dc997028] fra [info]                               at /rustc/cc66ad468955717ab92600c770da8c1601a4ff33/library/std/src/io/mod.rs:1714:15
2023-11-21T16:32:57Z app[7811e9dc997028] fra [info]   7:     0x56340ffe7044 - std::sys_common::backtrace::_print::hcd4834796ee88ad2
2023-11-21T16:32:57Z app[7811e9dc997028] fra [info]                               at /rustc/cc66ad468955717ab92600c770da8c1601a4ff33/library/std/src/sys_common/backtrace.rs:47:5
2023-11-21T16:32:57Z app[7811e9dc997028] fra [info]   8:     0x56340ffe7044 - std::sys_common::backtrace::print::h1360e9450e4f922a
2023-11-21T16:32:57Z app[7811e9dc997028] fra [info]                               at /rustc/cc66ad468955717ab92600c770da8c1601a4ff33/library/std/src/sys_common/backtrace.rs:34:9
2023-11-21T16:32:57Z app[7811e9dc997028] fra [info]   9:     0x56340ffe86f3 - std::panicking::default_hook::{{closure}}::h2609fa95cd5ab1f4
2023-11-21T16:32:57Z app[7811e9dc997028] fra [info]                               at /rustc/cc66ad468955717ab92600c770da8c1601a4ff33/library/std/src/panicking.rs:270:22
2023-11-21T16:32:57Z app[7811e9dc997028] fra [info]  10:     0x56340ffe840c - std::panicking::default_hook::h6d75f5747cab6e8d
2023-11-21T16:32:57Z app[7811e9dc997028] fra [info]                               at /rustc/cc66ad468955717ab92600c770da8c1601a4ff33/library/std/src/panicking.rs:290:9
2023-11-21T16:32:57Z app[7811e9dc997028] fra [info]  11:     0x56340ffe8c79 - std::panicking::rust_panic_with_hook::h57e78470c47c84de
2023-11-21T16:32:57Z app[7811e9dc997028] fra [info]                               at /rustc/cc66ad468955717ab92600c770da8c1601a4ff33/library/std/src/panicking.rs:707:13
2023-11-21T16:32:57Z app[7811e9dc997028] fra [info]  12:     0x56340ffe8b31 - std::panicking::begin_panic_handler::{{closure}}::h3dfd2453cf356ecb
2023-11-21T16:32:57Z app[7811e9dc997028] fra [info]                               at /rustc/cc66ad468955717ab92600c770da8c1601a4ff33/library/std/src/panicking.rs:597:13
2023-11-21T16:32:57Z app[7811e9dc997028] fra [info]  13:     0x56340ffe7786 - std::sys_common::backtrace::__rust_end_short_backtrace::hdb177d43678e4d7e
2023-11-21T16:32:57Z app[7811e9dc997028] fra [info]                               at /rustc/cc66ad468955717ab92600c770da8c1601a4ff33/library/std/src/sys_common/backtrace.rs:170:18
2023-11-21T16:32:57Z app[7811e9dc997028] fra [info]  14:     0x56340ffe88c2 - rust_begin_unwind
2023-11-21T16:32:57Z app[7811e9dc997028] fra [info]                               at /rustc/cc66ad468955717ab92600c770da8c1601a4ff33/library/std/src/panicking.rs:595:5
2023-11-21T16:32:57Z app[7811e9dc997028] fra [info]  15:     0x56340f08eee3 - core::panicking::panic_fmt::hd1e971d8d7c78e0e
2023-11-21T16:32:57Z app[7811e9dc997028] fra [info]                               at /rustc/cc66ad468955717ab92600c770da8c1601a4ff33/library/core/src/panicking.rs:67:14
2023-11-21T16:32:57Z app[7811e9dc997028] fra [info]  16:     0x56340fdf6166 - <rustls::builder::ConfigBuilder<rustls::client::client_conn::ClientConfig,rustls::builder::WantsVerifier> as hyper_rustls::config::ConfigBuilderExt>::with_native_roots::hf940367ded939ad5
2023-11-21T16:32:57Z app[7811e9dc997028] fra [info]  17:     0x56340facffe1 - core::ops::function::FnOnce::call_once::hd03d87e5437eeacf
2023-11-21T16:32:57Z app[7811e9dc997028] fra [info]  18:     0x56340faaf45b - once_cell::imp::OnceCell<T>::initialize::{{closure}}::h34c93868167a162e
2023-11-21T16:32:57Z app[7811e9dc997028] fra [info]  19:     0x56340ffc3f1c - once_cell::imp::initialize_or_wait::h0809411143941077
2023-11-21T16:32:57Z app[7811e9dc997028] fra [info]  20:     0x56340f06cb12 - once_cell::imp::OnceCell<T>::initialize::h17983bfc34f9727b
2023-11-21T16:32:57Z app[7811e9dc997028] fra [info]  21:     0x56340fadfb44 - aws_smithy_runtime::client::http::hyper_014::default_connector::https::h738fc6e315f87bc0
2023-11-21T16:32:57Z app[7811e9dc997028] fra [info]  22:     0x56340fac1aeb - aws_smithy_runtime::client::http::hyper_014::HyperClientBuilder::build_https::hc5e31bcdb3610bcd
2023-11-21T16:32:57Z app[7811e9dc997028] fra [info]  23:     0x56340fabea90 - aws_smithy_runtime::client::http::hyper_014::default_client::ha72b4a76b1ebb1ff
2023-11-21T16:32:57Z app[7811e9dc997028] fra [info]  24:     0x56340fa9cd0f - aws_smithy_runtime::client::defaults::default_http_client_plugin::h18a326b21eb1733f
2023-11-21T16:32:57Z app[7811e9dc997028] fra [info]  25:     0x56340fa9e2a2 - aws_smithy_runtime::client::defaults::default_plugins::hc986d5547dd93f98
2023-11-21T16:32:57Z app[7811e9dc997028] fra [info]  26:     0x56340f7a5141 - aws_sdk_s3::client::Client::from_conf::h62aeba176dfe9317
2023-11-21T16:32:57Z app[7811e9dc997028] fra [info]  27:     0x56340f7a6840 - aws_sdk_s3::client::Client::new::h18ee8154c1027213
2023-11-21T16:32:57Z app[7811e9dc997028] fra [info]  28:     0x56340f37f7d5 - platan_interface::setup::setup_app::{{closure}}::heb95f7bfecd7ce63
...

And yeah, that's right, I don't have system-provided CA-certificates, that's why I'm creating custom http_client with with_webpki_roots :)

If I'm looking at it correctly, the error originates from:

aws_sdk_s3::Client::from_conf
->
aws_sdk_s3::config::base_client_runtime_plugins
->
aws_smithy_runtime::client::defaults::default_plugins()
->
aws_smithy_runtime::client::defaults::default_http_client_plugin

which, in case you have connector-hyper-0-14-x feature enabled (which I do to be able to use HyperClientBuilder) creates hyper client.

And aws_smithy_runtime depends on hyper-rustls with native-certs unconditionally, which triggers it to try find some native certs, leading to runtime panic I'm experiencing.

Expected Behavior

No panic, basically :)

Current Behavior

Panic

Reproduction Steps

Run

async fn aws_sdk_config() -> SdkConfig {
    // Rustls connector.
    let rustls_connector = hyper_rustls::HttpsConnectorBuilder::new()
        .with_webpki_roots()
        .https_only()
        .enable_http1()
        .enable_http2()
        .build();

    // Hyper client builder.
    let http_client = HyperClientBuilder::new().build(rustls_connector);

    aws_config::from_env()
        .http_client(http_client)
        .region(EnvironmentVariableRegionProvider::new())
        .credentials_provider(EnvironmentVariableCredentialsProvider::new())
        .load()
        .await
}

let aws_shared_config = aws_sdk_config().await;
let s3_client = S3Client::new(&aws_shared_config);

on a machine without system CA certificates (Docker image debian:bookworm-slim, for example).

Possible Solution

Maybe do not create default_http_client when being provided with one?
Or, another way would be to allow to configure hyper-rustls dependency of aws-smithy-runtime to use webpki-roots.

Additional Information/Context

No response

Version

├── aws-config v1.0.0
│   ├── aws-credential-types v1.0.0
│   │   ├── aws-smithy-async v1.0.0
│   │   ├── aws-smithy-runtime-api v1.0.0
│   │   │   ├── aws-smithy-async v1.0.0 (*)
│   │   │   ├── aws-smithy-types v1.0.0
│   │   ├── aws-smithy-types v1.0.0 (*)
│   ├── aws-http v0.60.0
│   │   ├── aws-smithy-runtime-api v1.0.0 (*)
│   │   ├── aws-smithy-types v1.0.0 (*)
│   │   ├── aws-types v1.0.0
│   │   │   ├── aws-credential-types v1.0.0 (*)
│   │   │   ├── aws-smithy-async v1.0.0 (*)
│   │   │   ├── aws-smithy-runtime-api v1.0.0 (*)
│   │   │   ├── aws-smithy-types v1.0.0 (*)
│   ├── aws-runtime v1.0.0
│   │   ├── aws-credential-types v1.0.0 (*)
│   │   ├── aws-http v0.60.0 (*)
│   │   ├── aws-sigv4 v1.0.0
│   │   │   ├── aws-credential-types v1.0.0 (*)
│   │   │   ├── aws-smithy-eventstream v0.60.0
│   │   │   │   ├── aws-smithy-types v1.0.0 (*)
│   │   │   ├── aws-smithy-http v0.60.0
│   │   │   │   ├── aws-smithy-eventstream v0.60.0 (*)
│   │   │   │   ├── aws-smithy-runtime-api v1.0.0 (*)
│   │   │   │   ├── aws-smithy-types v1.0.0 (*)
│   │   │   ├── aws-smithy-runtime-api v1.0.0 (*)
│   │   │   ├── aws-smithy-types v1.0.0 (*)
│   │   ├── aws-smithy-async v1.0.0 (*)
│   │   ├── aws-smithy-eventstream v0.60.0 (*)
│   │   ├── aws-smithy-http v0.60.0 (*)
│   │   ├── aws-smithy-runtime-api v1.0.0 (*)
│   │   ├── aws-smithy-types v1.0.0 (*)
│   │   ├── aws-types v1.0.0 (*)
│   ├── aws-sdk-sso v0.39.0
│   │   ├── aws-credential-types v1.0.0 (*)
│   │   ├── aws-http v0.60.0 (*)
│   │   ├── aws-runtime v1.0.0 (*)
│   │   ├── aws-smithy-async v1.0.0 (*)
│   │   ├── aws-smithy-http v0.60.0 (*)
│   │   ├── aws-smithy-json v0.60.0
│   │   │   └── aws-smithy-types v1.0.0 (*)
│   │   ├── aws-smithy-runtime v1.0.0
│   │   │   ├── aws-smithy-async v1.0.0 (*)
│   │   │   ├── aws-smithy-http v0.60.0 (*)
│   │   │   ├── aws-smithy-runtime-api v1.0.0 (*)
│   │   │   ├── aws-smithy-types v1.0.0 (*)
│   │   ├── aws-smithy-runtime-api v1.0.0 (*)
│   │   ├── aws-smithy-types v1.0.0 (*)
│   │   ├── aws-types v1.0.0 (*)
│   ├── aws-sdk-ssooidc v0.39.0
│   │   ├── aws-credential-types v1.0.0 (*)
│   │   ├── aws-http v0.60.0 (*)
│   │   ├── aws-runtime v1.0.0 (*)
│   │   ├── aws-smithy-async v1.0.0 (*)
│   │   ├── aws-smithy-http v0.60.0 (*)
│   │   ├── aws-smithy-json v0.60.0 (*)
│   │   ├── aws-smithy-runtime v1.0.0 (*)
│   │   ├── aws-smithy-runtime-api v1.0.0 (*)
│   │   ├── aws-smithy-types v1.0.0 (*)
│   │   ├── aws-types v1.0.0 (*)
│   ├── aws-sdk-sts v0.39.0
│   │   ├── aws-credential-types v1.0.0 (*)
│   │   ├── aws-http v0.60.0 (*)
│   │   ├── aws-runtime v1.0.0 (*)
│   │   ├── aws-smithy-async v1.0.0 (*)
│   │   ├── aws-smithy-http v0.60.0 (*)
│   │   ├── aws-smithy-json v0.60.0 (*)
│   │   ├── aws-smithy-query v0.60.0
│   │   │   ├── aws-smithy-types v1.0.0 (*)
│   │   ├── aws-smithy-runtime v1.0.0 (*)
│   │   ├── aws-smithy-runtime-api v1.0.0 (*)
│   │   ├── aws-smithy-types v1.0.0 (*)
│   │   ├── aws-smithy-xml v0.60.0
│   │   ├── aws-types v1.0.0 (*)
│   ├── aws-smithy-async v1.0.0 (*)
│   ├── aws-smithy-http v0.60.0 (*)
│   ├── aws-smithy-json v0.60.0 (*)
│   ├── aws-smithy-runtime v1.0.0 (*)
│   ├── aws-smithy-runtime-api v1.0.0 (*)
│   ├── aws-smithy-types v1.0.0 (*)
│   ├── aws-types v1.0.0 (*)
├── aws-sdk-ec2 v0.39.0
│   ├── aws-credential-types v1.0.0 (*)
│   ├── aws-http v0.60.0 (*)
│   ├── aws-runtime v1.0.0 (*)
│   ├── aws-smithy-async v1.0.0 (*)
│   ├── aws-smithy-http v0.60.0 (*)
│   ├── aws-smithy-json v0.60.0 (*)
│   ├── aws-smithy-query v0.60.0 (*)
│   ├── aws-smithy-runtime v1.0.0 (*)
│   ├── aws-smithy-runtime-api v1.0.0 (*)
│   ├── aws-smithy-types v1.0.0 (*)
│   ├── aws-smithy-xml v0.60.0 (*)
│   ├── aws-types v1.0.0 (*)
├── aws-sdk-s3 v0.39.0
│   ├── aws-credential-types v1.0.0 (*)
│   ├── aws-http v0.60.0 (*)
│   ├── aws-runtime v1.0.0 (*)
│   ├── aws-sigv4 v1.0.0 (*)
│   ├── aws-smithy-async v1.0.0 (*)
│   ├── aws-smithy-checksums v0.60.0
│   │   ├── aws-smithy-http v0.60.0 (*)
│   │   ├── aws-smithy-types v1.0.0 (*)
│   ├── aws-smithy-eventstream v0.60.0 (*)
│   ├── aws-smithy-http v0.60.0 (*)
│   ├── aws-smithy-json v0.60.0 (*)
│   ├── aws-smithy-runtime v1.0.0 (*)
│   ├── aws-smithy-runtime-api v1.0.0 (*)
│   ├── aws-smithy-types v1.0.0 (*)
│   ├── aws-smithy-xml v0.60.0 (*)
│   ├── aws-types v1.0.0 (*)
├── aws-smithy-runtime v1.0.0 (*)
│   ├── aws-sdk-ec2 v0.39.0 (*)
│   ├── aws-sdk-s3 v0.39.0 (*)
│   │   ├── aws-sdk-ec2 v0.39.0 (*)
│   │   ├── aws-sdk-s3 v0.39.0 (*)
├── aws-config v1.0.0 (*)
├── aws-sdk-s3 v0.39.0 (*)

Environment details (OS name and version, etc.)

debian:bookworm-slim Docker image

Logs

No response

[ysaito1001]

Hi @utterstep, thank you for reporting this! Appreciate spending time adding the backtrace and call chains to make the description so much easier to understand.

As you pointed out above, the issue seems that our default default_http_client isn't aware of with_webpki_roots because of a hard-coded cargo feature rustls-native-certs for the hyper-rustls dependency in aws-smithy-runtime.

Please note that default_http_client will be called regardless of whether you provide your own http_client or not. Were it not for panic!, you would successfully create a variable s3_client above and your http_client would override what's created by default_http_client.

We'll add this to our backlog to come up with a fix.

[rcoh]

can you try disabling default features? That should remove the default http client. You will need to re-enable the other default features.

[utterstep]

can you try disabling default features? That should remove the default http client. You will need to re-enable the other default features.

Hi, @rcoh!
Yeah, I tried that, but as I'm using the connector-hyper-0-14-x feature, the code triggering panic is still included.

I use this feature to be able to use HyperClientBuilder with HttpsConnector<HttpConnector> provided by me:

async fn aws_sdk_config() -> SdkConfig {
    // Rustls connector.
    let rustls_connector = hyper_rustls::HttpsConnectorBuilder::new()
        .with_webpki_roots()
        .https_only()
        .enable_http1()
        .enable_http2()
        .build();

    // Hyper client builder.
    let http_client = HyperClientBuilder::new().build(rustls_connector);

    aws_config::from_env()
        .http_client(http_client)
        .region(EnvironmentVariableRegionProvider::new())
        .credentials_provider(EnvironmentVariableCredentialsProvider::new())
        .load()
        .await
}

[rcoh]

ah! Yeah we need to split those up. We'll get this fixed

[rcoh]

hmm, we're having a hard time reproducing this. Can you send your Cargo.toml?

[utterstep]

@rcoh sure :)

Tried to minimize example, see this repo:
https://github.com/utterstep/aws-sdk-certs-reproduction

In Cargo.lock you can see that hyper-rustls used with rustls-native-certs feature:

[[package]]
name = "hyper-rustls"
version = "0.24.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ec3efd23720e2049821a693cbc7e65ea87c72f1c58ff2f9522ff332b1491e590"
dependencies = [
 "futures-util",
 "http",
 "hyper",
 "log",
 "rustls",
 "rustls-native-certs",
 "tokio",
 "tokio-rustls",
 "webpki-roots",
]

[jdisanti]

Thanks for putting that together!

I think I see what's causing the issue for you. There are two things:

1. In the hyper-rustls dependency, default_features is a typo. It should be default-features.
2. The rustls feature on the SDK crates will pull in the SDK default TLS implementation, which is rustls with native certs. You'll have to disable that:

aws-config = { version = "1", default-features = false, features = ["rt-tokio", "behavior-version-latest"] }
aws-sdk-ec2 = { version = "0.39", default-features = false, features = ["rt-tokio", "behavior-version-latest"] }
aws-sdk-s3 = { version = "0.39", default-features = false, features = ["rt-tokio", "behavior-version-latest"] }
aws-smithy-runtime = { version = "1", default-features = false, features = ["client", "connector-hyper-0-14-x"] }

When I make those changes in to aws-sdk-certs-reproduction repo, I see that rustls-native-certs is no longer in the Cargo.lock.

[utterstep]

Geez, sorry for the typo :(

It's a bit counter-intuitive, disabling rustls feature and be able to use rustls still :)
However I get the logic that this feature is not "you can use rustls", but rather "use default rustls tooling", am I correct?

And many thanks to you and the team! :)

[jdisanti]

Yeah, that's exactly it.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.