Cannot find ca certificates on android

[malbarbo]

Reported on reddit

error: could not download file from 'https://static.rust-lang.org/dist/channel-rust-stable.toml.sha256' to '/data/data/com.termux/files/home/.rustup/tmp/blahblah_file'
info: caused by: error during download
info: caused by: [60] Peer certificate cannot be authenticated with given CA certificates (SSL certificate problem: unable to get local issuer certificate)

If the problem cannot be fixed, at least the error message should indicate that defining SSL_CERT_FILE can help.

[malbarbo]

@alexcrichton @sfackler I don't know if this is related with curl or openssl. Do you have some guidance on this?

This also affects cargo.

[alexcrichton]

Cargo and some other crates use openssl-probe to find certs if OpenSSL is linked statically, maybe logic needs to be added there?

[malbarbo]

Would a direct fix adding '/data/data/com.termux/files/etc/ssl' (termux path) to find_certs_dirs be reasonable?

A more aggressive approach would be to try all combinations of the paths defined in find_certs_dirs going up in the directory tree from the current_exe. But I think it is too much.

The error message is a bit complicated. The user or openssl-probe may have defined a invalid SSL_CERT_FILE, so we cannot say to the user to check SSL_CERT_FILE.

[sfackler]

Android has a somewhat unique trust root setup: sfackler/rust-openssl#610. It unfortunately can't be emulated via just setting the environment variables like openssl-probe does - you need to explicitly build up the trust store programmatically.

[Diggsey]

Is this fixed in the latest release?

[malbarbo]

This works using termux (because of the openssl-probe update), but I think we need to wait sfackler/rust-openssl#610 for a complete fix.