pkl icon indicating copy to clipboard operation
pkl copied to clipboard
verified publisher icon apple

Package download error reporting hides true cause when redirects are involved

Open HT154 opened this issue 5 months ago • 0 comments

I'm working on adopting Pkl 0.29 and HTTP rewrites and ran into an error condition with a misleading message.

Background:

  • I'm trying to pull packages via pkg.pkl-lang.org (which redirects to github.com) without connecting to the public internet.
  • I have a rewrite from https://github.com/ to https://github.internal/github-releases/
    • This endpoint uses a cert from a publicly trusted CA.
  • I have a rewrite from https://pkl.pkl-lang.org to https://pkl.internal/mirror/pkg.pkl-lang.org/
    • This endpoint is using a self-signed cert.
    • My client system has this cert in ~/.pkl/cacerts.
    • This endpoint redirects to the appropriate location under https://github.internal/github-releases/ just like pkl.pkl-lang.org does.

I made the mistake of not explicitly trusting my normal public CA bundle via ~/.pkl/cacerts so attempting to access https://github.internal failed, but the error message was surprising!

bash-5.1$ pkl eval package://pkg.pkl-lang.org/pkl-go/[email protected]#/go.pkl \
  --http-rewrite https://pkg.pkl-lang.org/=https://pkl.internal/mirror/pkg.pkl-lang.org/ \
  --http-rewrite https://github.com/=https://github.internal/github-releases/
–– Pkl Error ––
Exception when making request `GET https://pkg.pkl-lang.org/pkl-go/[email protected]`:
Error during SSL handshake with host `pkl.internal`:
unable to find valid certification path to requested target (request was rewritten: https://pkg.pkl-lang.org/pkl-go/[email protected] -> https://pkl.internal/mirror/pkg.pkl-lang.org/pkl-go/[email protected])

I would expect this error to look something like this:

Exception when making request `GET https://pkg.pkl-lang.org/pkl-go/[email protected]`:
Error during SSL handshake with host `pkl.internal`:
unable to find valid certification path to requested target
* request was rewritten: https://pkg.pkl-lang.org/pkl-go/[email protected] -> https://pkl.internal/mirror/pkg.pkl-lang.org/pkl-go/[email protected]
* request was redirected: https://pkl.internal/mirror/pkg.pkl-lang.org/pkl-go/[email protected] -> https://github.internal/github-releases/apple/pkl-go/releases/download/pkl.golang%400.11.0/[email protected]

(The handling of ~/.pkl/cacerts being a replacement for the default trust rather than additive is orthogonal to the misleading error message)

HT154 avatar Jul 30 '25 22:07 HT154