Statically linked musl binaries built with OpenSSL cannot verify certificates CA

[lawliet89]

Consider the following program:

extern crate reqwest;

use std::io::Read;

fn main() {
    let mut resp = reqwest::get("https://www.rust-lang.org/en-US/").unwrap();
    assert!(resp.status().is_success());

    let mut content = String::new();
    resp.read_to_string(&mut content).unwrap();

    println!("OK");
}

On my system (x86_64-unknown-linux-gnu), this works fine as expected:

$ cargo build
   ... snip ...
   Compiling cross-ssl-error v0.1.0 (file:///home/yongwen/work/scratch/cross-ssl-error)
    Finished dev [unoptimized + debuginfo] target(s) in 26.5 secs

$ target/debug/cross-ssl-error 
OK

But, if I use cross to build for x86_64-unknown-linux-musl:

$ cross build --target x86_64-unknown-linux-musl
   ... snip ...
   Compiling cross-ssl-error v0.1.0 (file:///project)
    Finished dev [unoptimized + debuginfo] target(s) in 25.81 secs

$ target/x86_64-unknown-linux-musl/debug/cross-ssl-error 
thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: Error { kind: Io(Error { repr: Custom(Custom { kind: Other, error: Ssl(ErrorStack([Error { code: 336134278, library: "SSL routines", function: "ssl3_get_server_certificate", reason: "certificate verify failed", file: "s3_clnt.c", line: 1264 }])) }) }), url: Some("https://www.rust-lang.org/en-US/") }', /checkout/src/libcore/result.rs:860
note: Run with `RUST_BACKTRACE=1` for a backtrace.

Not sure what is going on. Seems like the CAs are not linked into the binaries?

[japaric]

Workaround for this problem:

$ SSL_CERT_DIR=/etc/ssl/certs ./your-binary

courtesy of @jamesmunns

AFAIU, the issue here is that we build OpenSSL into the docker images using OPENSSL_DIR=/openssl (we do this so that the cross compiled OpenSSL doesn't crash with the host OpenSSL installation). This causes users of the OpenSSL library to search for the certificates in /openssl/ssl/certs (or something like that); however, most distros have their certificates in /etc/ssl/certs. This SSL_CERT_DIR variable overrides the default certificate search path from $install_path/ssl/certs to $SSL_CERT_DIR. Some distros set SSL_CERT_DIR to /etc/ssl/certs at the system level so the cross binaries work on those distros without further modification.

We definitely would like to provide a better default certificate patch but I can't think of a solution right now.

[bachp]

@japaric Adding --openssldir=/etc/ssl in here might do the trick to have the same default as most linux distributions.

[malbarbo]

Other option is to use https://github.com/alexcrichton/openssl-probe