Skip to content

Commit fe44095

Browse files
Turbo87Turbo87
committed
db: Add Crunchybridge certificate as root certificate
… because otherwise the native TLS stack on our server complains about the self-signed certificate in the cert chain.
1 parent 86ad14e commit fe44095

File tree

3 files changed

+22
-3
lines changed

3 files changed

+22
-3
lines changed

src/certs/crunchy.pem

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
-----BEGIN CERTIFICATE-----
2+
MIIBozCCAUqgAwIBAgIJAMDLUd0ypWHdMAoGCCqGSM49BAMDMCUxIzAhBgNVBAMM
3+
GnJqamxwMmxnbWJjanZvamV4YjN3NndsNTVlMB4XDTI0MDYwNTA2MjcyOVoXDTQ0
4+
MDUzMTA2MjcyOVowJTEjMCEGA1UEAwwacmpqbHAybGdtYmNqdm9qZXhiM3c2d2w1
5+
NWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS4J3uDAfsWOQFD6XAwpPWOvviY
6+
kCPqyJ37OGMOhA70zvQKOnxTmrKu2p7lsyVrnbCtD4Ve11CouI4iDPeVmK/wo2Mw
7+
YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUy5m8
8+
qXuAIReA7KFV1fKaHLPZo14wHwYDVR0jBBgwFoAUy5m8qXuAIReA7KFV1fKaHLPZ
9+
o14wCgYIKoZIzj0EAwMDRwAwRAIgQfpsO+B96Xse+ushnl+0Abx2tx0F5ac+K0L/
10+
x4uyKP4CIBaCSz+Oa/rG30W2F0VVtJN8guKFvnCMy7Gg/XCGGx8l
11+
-----END CERTIFICATE-----

src/certs/mod.rs

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,8 @@
1-
//! Certificates from <https://letsencrypt.org/certificates/>.
2-
1+
/// Certificate from <https://letsencrypt.org/certificates/>.
32
pub const ISRG_ROOT_X1: &[u8] = include_bytes!("./isrg-root-x1.pem");
3+
4+
/// Certificate from <https://letsencrypt.org/certificates/>.
45
pub const ISRG_ROOT_X2: &[u8] = include_bytes!("./isrg-root-x2.pem");
6+
7+
/// crates.io team certificate from <https://crunchybridge.com/>.
8+
pub const CRUNCHY: &[u8] = include_bytes!("./crunchy.pem");

src/db.rs

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,9 @@
1+
use crate::certs::CRUNCHY;
12
use diesel::{Connection, ConnectionResult, PgConnection, QueryResult};
23
use diesel_async::pooled_connection::deadpool::{Hook, HookError};
34
use diesel_async::pooled_connection::ManagerConfig;
45
use diesel_async::{AsyncPgConnection, RunQueryDsl};
5-
use native_tls::TlsConnector;
6+
use native_tls::{Certificate, TlsConnector};
67
use postgres_native_tls::MakeTlsConnector;
78
use secrecy::ExposeSecret;
89
use std::time::Duration;
@@ -60,7 +61,10 @@ pub fn make_manager_config() -> ManagerConfig<AsyncPgConnection> {
6061
async fn establish_async_connection(url: &str) -> ConnectionResult<AsyncPgConnection> {
6162
use diesel::ConnectionError::BadConnection;
6263

64+
let cert = Certificate::from_pem(CRUNCHY).map_err(|err| BadConnection(err.to_string()))?;
65+
6366
let connector = TlsConnector::builder()
67+
.add_root_certificate(cert)
6468
// The TLS certificate of our current database server has a long validity
6569
// period and OSX rejects such certificates as "not trusted". If you run
6670
// into "Certificate was not trusted" errors during local development,

0 commit comments

Comments
 (0)