InvalidCertificate and how to fix it

[sahuguet]

I am trying to install a DuckDB extension written in Rust (https://github.com/martin-conur/quackformers) that uses the library.

During the install, I am getting a

HfHub(RequestError(Transport(Transport { kind: ConnectionFailed, message: Some("tls connection init failed"), url: Some(Url { scheme: "https", cannot_be_a_base: false, username: "", password: None, host: Some(Domain("huggingface.co")), port: None, path: "/sentence-transformers/all-MiniLM-L6-v2/resolve/main/tokenizer.json", query: None, fragment: None }), source: Some(Custom { kind: InvalidData, error: InvalidCertificate(UnknownIssuer) }) })))

The file can be accessed from my environment via curl. The file can be accessed from DuckDB using their httpfs extension which is written in C/C++.

I am working in environment with a very strict enterprise proxy and this is most likely what's causing the issue (I have zero issue when running the same commands at home).

1. can the behavior of HfHub with respect to proxy be modified using env variables?
2. can the behavior of HfHub with respect to TLS certificates be modified using env variables?
3. where can I find the default value(s) for the proxy settings and the location of certs used by the library

References:

• bug report for quackformer = https://github.com/martin-conur/quackformers/issues/7

[Narsil]

Are you using the sync or tokio variant ?

PROXY respect the HTTP_PROXY environment variable (and your system defaults). Same for the TLS. But it could be that the set of allowed certificates is smaller in the Rust default.

It seems like the setup for this should be from either reqwest (tokio backend) or ureq ( sync backend). Both should be using your system's default, but there's probably a discrepancy here.