Skip to content

Can't request an HTTP only server if there is no certificate/trust store. #2988

Open
Open
Can't request an HTTP only server if there is no certificate/trust store.#2988
Labels
A-tlsArea: Transport Layer Security
@stormshield-gt

Description

@stormshield-gt
stormshield-gt
opened on Mar 11, 2026

rustls-platform-verifier currently errors when no cert store is available on the machine and no extra roots are provided, even when not using TLS.

So if you use reqwest in an environment with no cert store, you won't be able to request HTTP only server.
This type of environment is really common in the docker world; for instance, docker images that didn't install the ca-certificates package.

To reproduce, you can launch the official rust docker image,

docker run -it rust:1.94-slim bash

And then execute this command inside the container:

apt-get remove --yes --purge ca-certificates
cargo new repro
cd repro
cargo add tokio --features macros,rt-multi-thread
cargo add reqwest
echo '#[tokio::main]
async fn main() {
    let text = reqwest::get("http://httpbin.org/get")
        .await
        .unwrap()
        .text()
        .await
        .unwrap();
    dbg!(text);
}' > src/main.rs
cargo r

Expected output:

thread 'main' (3094) panicked at src/main.rs:5:10:
called `Result::unwrap()` on an `Err` value: reqwest::Error { kind: Builder, source: General("No CA certificates were loaded from the system") }
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

The current workaround we use is to prevent the call of rustls-platform-verifier in the Client::build in case of HTTP :

if url.starts_with("http://") {
    builder = builder.tls_certs_only(Vec::new());
}

Ideally, I would be nice not to have to use this trick

Metadata

Metadata

Assignees

No one assigned

    Labels

    A-tlsArea: Transport Layer Security

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions