Skip to content

fix(cli): use OS trust store for reqwest TLS verification#1342

Merged
TaylorMutch merged 1 commit into
NVIDIA:mainfrom
sjenning:fix/reqwest-native-roots
May 12, 2026
Merged

fix(cli): use OS trust store for reqwest TLS verification#1342
TaylorMutch merged 1 commit into
NVIDIA:mainfrom
sjenning:fix/reqwest-native-roots

Conversation

@sjenning
Copy link
Copy Markdown
Contributor

@sjenning sjenning commented May 12, 2026

Summary

  • Switch reqwest from rustls-tls (bundled Mozilla webpki roots) to rustls-tls-native-roots (OS certificate store) so the CLI trusts the same CAs as the rest of the system
  • Fixes OIDC discovery failures (UnknownIssuer) against Keycloak instances using certificates signed by internal CAs present in the system trust bundle
  • Aligns reqwest with tokio-tungstenite, which already uses rustls-tls-native-roots

Test plan

  • Run openshell gateway login against a Keycloak instance with an internally-signed certificate
  • Verify OIDC discovery succeeds without UnknownIssuer error
  • Verify login still works against Keycloak instances with publicly-signed certificates

@copy-pr-bot
Copy link
Copy Markdown

copy-pr-bot Bot commented May 12, 2026

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

@TaylorMutch TaylorMutch added the test:e2e Requires end-to-end coverage label May 12, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 12, 2026

Label test:e2e applied, but pull-request/1342 is at {"messa while the PR head is a5e74b8. A maintainer needs to comment /ok to test a5e74b8c45af9a8eb9c89c024a8b674d6a2aa8e2 to refresh the mirror. Once the mirror catches up, re-run Branch E2E Checks from the Actions tab.

@TaylorMutch
Copy link
Copy Markdown
Collaborator

TaylorMutch commented May 12, 2026

/ok to test a5e74b8

@sjenning sjenning force-pushed the fix/reqwest-native-roots branch from a5e74b8 to 2874e51 Compare May 12, 2026 22:41
@TaylorMutch
Copy link
Copy Markdown
Collaborator

TaylorMutch commented May 12, 2026

/ok to test 2874e51

@sjenning
fix(cli): use OS trust store for reqwest TLS verification
6f5084f 
Switch reqwest from `rustls-tls` (bundled Mozilla webpki roots) to
`rustls-tls-native-roots` (OS certificate store) so that the CLI
trusts the same CAs as the rest of the system. This fixes OIDC
discovery failures against Keycloak instances using certificates
signed by internal CAs present in the system trust bundle.
@sjenning sjenning force-pushed the fix/reqwest-native-roots branch from 2874e51 to 6f5084f Compare May 12, 2026 23:07
@TaylorMutch
Copy link
Copy Markdown
Collaborator

TaylorMutch commented May 12, 2026

/ok to test 6f5084f

@TaylorMutch TaylorMutch merged commit afcd3a9 into NVIDIA:main May 12, 2026
33 of 34 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@TaylorMutch TaylorMutch TaylorMutch approved these changes

@mrunalp mrunalp Awaiting requested review from mrunalp mrunalp is a code owner

@maxamillion maxamillion Awaiting requested review from maxamillion maxamillion is a code owner

@derekwaynecarr derekwaynecarr Awaiting requested review from derekwaynecarr derekwaynecarr is a code owner

Assignees

No one assigned

Labels

test:e2e Requires end-to-end coverage

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sjenning @TaylorMutch