Get from https url in company network with self signed certificate

[chunjiw]

When I do HTTP.get("https://www.google.com") using company network, I get a long error message beginning with MbedTLS error code -9984: X509 - Certificate verification failed, e.g. CRL, CA or signature check failed.

I know that the company network has a self signed certificate in the certificate chain which might be the culprit.

However, the thunder REST client plugin in VS Code has no problem getting a 200 response from https://...

I don't know how to debug this. Is there something we can do in HTTP.jl to address this? What other information do I need to provide?

[quinnj]

You could try the new functionality we just added where you can specify the cacert file in the HTTP_CA_BUNDLE or CURL_CA_BUNDLE environment variables.

[thevolatilebit]

Seems related:

I’ve created a private CA, pushed it to system keychain, and signed a SSL certificate for a service running on e.g. localhost:5050 - and now, while my browser recognises the certificate at https://localhost:5050, HTTP.get("https://localhost:5050") complains that certificate verification failed.

Are the HTTP.jl-compatible CAs separated from system CAs? Thank you!

[thevolatilebit]

The answer is that HTTP.jl/MbedTLS.jl maintains a separate list of trusted CAs; a workaround indeed is to provide custom bundle via HTTP_CA_BUNDLE (if anyone finds it useful: a bundle is just a file with concatenated trusted certs, see e.g. the content of HTTP.MbedTLS.MozillaCACerts_jll.cacert; the specified bundle will overwrite the default bundle).