fix(ie-net): fix multi-process HTTPS by using native OS certificates #75

thomasnemer · thomasnemer · commit 4e3dec80c054 · 2026-04-01T23:17:54.000+02:00
Root cause: webpki-roots 1.0.6 was missing some root CAs (notably
SSL.com TLS Transit ECC CA R2 used by Cloudflare). This caused
TLS handshake failure: "invalid peer certificate: UnknownIssuer".

Fix:
- Switch from with_webpki_roots() to with_native_roots() which
  loads certificates from the OS certificate store (/etc/ssl/certs/)
- Add "native-tokio" feature to hyper-rustls
- Improve error chain capture: walk source() chain for detailed
  TLS error messages instead of losing inner cause

Multi-process HTTPS now works — the sandboxed network child can
successfully complete TLS handshakes with external servers.
The --single-process workaround is no longer needed.
diff --git a/Cargo.toml b/Cargo.toml
@@ -46,7 +46,7 @@ wasmtime = "31"
 hyper = { version = "1", features = ["full"] }
 hyper-util = { version = "0.1", features = ["full"] }
 http-body-util = "0.1"
-hyper-rustls = { version = "0.27", features = ["http2", "webpki-roots"] }
+hyper-rustls = { version = "0.27", features = ["http2", "webpki-roots", "native-tokio"] }
 rustls = "0.23"
 url = "2"
 serde = { version = "1", features = ["derive"] }
diff --git a/crates/ie-net/src/client.rs b/crates/ie-net/src/client.rs
@@ -24,8 +24,10 @@ pub struct Client {
 
 impl Client {
     pub fn new() -> Result<Self, NetError> {
+        // Use native OS certificates with webpki-roots as fallback
         let connector = HttpsConnectorBuilder::new()
-            .with_webpki_roots()
+            .with_native_roots()
+            .map_err(|e| NetError::TlsError(format!("failed to load native certs: {e}")))?
             .https_or_http()
             .enable_http1()
             .enable_http2()
@@ -88,7 +90,14 @@ impl Client {
                 .map_err(|e| NetError::ConnectionFailed(e.to_string()))?;
 
             let resp = self.inner.request(req).await.map_err(|e| {
-                let msg = e.to_string();
+                // Capture full error chain for debugging
+                use std::error::Error as _;
+                let mut msg = e.to_string();
+                let mut source: Option<&dyn std::error::Error> = e.source();
+                while let Some(inner) = source {
+                    msg.push_str(&format!(" → {inner}"));
+                    source = inner.source();
+                }
                 if msg.contains("tls") || msg.contains("ssl") || msg.contains("certificate") {
                     NetError::TlsError(msg)
                 } else {
diff --git a/crates/ie-shell/src/child_network.rs b/crates/ie-shell/src/child_network.rs
@@ -28,6 +28,7 @@ pub async fn run_network_process(mut channel: IpcChannel) -> Result<()> {
                             .await?;
                     }
                     Err(e) => {
+                        tracing::error!("fetch failed: {e:?}");
                         channel
                             .send(&IpcMessage::FetchError {
                                 id,

Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,7 @@ pub async fn run_network_process(mut channel: IpcChannel) -> Result<()> {`
`28`	`28`	`.await?;`
`29`	`29`	`}`
`30`	`30`	`Err(e) => {`
	`31`	`+ tracing::error!("fetch failed: {e:?}");`
`31`	`32`	`channel`
`32`	`33`	`.send(&IpcMessage::FetchError {`
`33`	`34`	`id,`