[BUG] worker-build binary downloads fail with UnknownIssuer on systems with TLS-inspecting proxies #928
Description
Is there an existing issue for this?
- I have searched the existing issues
What version of workers-rs are you using?
0.7.4
What version of wrangler are you using?
4.63.0
Describe the bug
worker-build fails to download wasm-bindgen (and potentially esbuild/wasm-opt) on systems where HTTPS traffic is inspected by a corporate TLS proxy (e.g., Netskope).
The download() function in worker-build/src/binary.rs uses ureq::get(url).call(), which relies on ureq's default TLS configuration: rustls with RootCerts::WebPki. This uses a statically compiled bundle of Mozilla root CAs (webpki-roots crate) and completely ignores the operating system's certificate trust store.
On systems with TLS inspection, the proxy re-signs all HTTPS traffic with a custom CA certificate that is trusted by the OS (installed in the macOS system keychain, Windows certificate store, etc.) but is not in the webpki-roots bundle. This causes rustls to reject the proxy's certificate with UnknownIssuer, making all binary downloads fail:
[INFO]: ⬇️ Downloading Wasm Bindgen@0.2.106...
Error: Failed to fetch URL https://github.com/wasm-bindgen/wasm-bindgen/releases/download/0.2.106/wasm-bindgen-0.2.106-aarch64-apple-darwin.tar.gz
Caused by:
io: invalid peer certificate: UnknownIssuer
curl works fine because they use the OS trust store.
Expected behavior: worker-build should use the platform's native TLS certificate verification (or at minimum respect the OS certificate store) so that downloads work in corporate environments with TLS inspection.
Proposed fix: Enable the native-tls feature on ureq and configure the download() function to use TlsProvider::NativeTls with RootCerts::PlatformVerifier, which delegates certificate verification to the OS:
Steps To Reproduce
No response