Skip to content

[BUG] worker-build binary downloads fail with UnknownIssuer on systems with TLS-inspecting proxies #928

@aquilacf

Description

@aquilacf

Is there an existing issue for this?

  • I have searched the existing issues

What version of workers-rs are you using?

0.7.4

What version of wrangler are you using?

4.63.0

Describe the bug

worker-build fails to download wasm-bindgen (and potentially esbuild/wasm-opt) on systems where HTTPS traffic is inspected by a corporate TLS proxy (e.g., Netskope).

The download() function in worker-build/src/binary.rs uses ureq::get(url).call(), which relies on ureq's default TLS configuration: rustls with RootCerts::WebPki. This uses a statically compiled bundle of Mozilla root CAs (webpki-roots crate) and completely ignores the operating system's certificate trust store.

On systems with TLS inspection, the proxy re-signs all HTTPS traffic with a custom CA certificate that is trusted by the OS (installed in the macOS system keychain, Windows certificate store, etc.) but is not in the webpki-roots bundle. This causes rustls to reject the proxy's certificate with UnknownIssuer, making all binary downloads fail:

[INFO]: ⬇️ Downloading Wasm Bindgen@0.2.106...
Error: Failed to fetch URL https://github.com/wasm-bindgen/wasm-bindgen/releases/download/0.2.106/wasm-bindgen-0.2.106-aarch64-apple-darwin.tar.gz
Caused by:
io: invalid peer certificate: UnknownIssuer

curl works fine because they use the OS trust store.

Expected behavior: worker-build should use the platform's native TLS certificate verification (or at minimum respect the OS certificate store) so that downloads work in corporate environments with TLS inspection.

Proposed fix: Enable the native-tls feature on ureq and configure the download() function to use TlsProvider::NativeTls with RootCerts::PlatformVerifier, which delegates certificate verification to the OS:

Steps To Reproduce

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions