[bug] $150 screenpipe self signed certs issue - tls connection init failed

[zy31415]

describe the bug
brief description of the bug.

to reproduce

1. Install screenpipe via homebrew
2. Start screenpipe via command line

expected behavior
Seeing the following error:

2024-11-21T19:08:28.461123Z ERROR screenpipe: continuous recording error: request error: https://huggingface.co/openai/whisper-large-v3-turbo/resolve/main/config.json: Connection Failed: tls connection init failed: invalid peer certificate: UnknownIssuer

system info

• os: 15.1 (24B83)
• screenpipe version: 0.1.98

additional context
It's related to a self signed certificate. The certificate is trusted in the MacOs KeyChain. However, it is not recognized by screenpipe. Is there a way to let screenpipe trust this self signed cert?

[linear]

MED-311 [bug] screenpipe self signed certs issue - tls connection init failed

[louis030195]

are you in china or behind firewall?

[zy31415]

Located in North Americas. I am on a corporate laptop so behind VPN/firewall stuff.

[zy31415]

Update: If I stop the corporate VPN (GlobalProtect), the problem is gone.

[joshuaauger]

@louis030195 Any updates on this, it would be great if we had system keychain/certificates imported by default. I believe currently I'm seeing this same issue due to ZScaler on our corporate machines.

[louis030195]

some ideas from AI:

use reqwest::Client;
use std::time::Duration;

pub fn create_client() -> Result<Client> {
    let client = Client::builder()
        .timeout(Duration::from_secs(30))
        .use_system_proxy() // Use system proxy settings
        .tls_built_in_root_certs(true) // Use system root certificates
        .build()
        .context("failed to create http client")?;

    Ok(client)
}

@joshuaauger

i'm not sure where is the problem, should i send a PR to huggingface or is it something in our CLI code?

not familiar at all with this

huggingface/candle#2668

trying to figure out

[joshuaauger]

@louis030195

I'm no rust developer, but I think rustls doesn't use the system certificates but native-tls does.

something similar to this:
#38

[louis030195]

https://github.com/huggingface/hf-hub/blob/ac22200ea0b5af4d8c362f699be0340647b19060/Cargo.toml#L44

[louis030195]

huggingface/hf-hub#56

[louis030195]

/bounty 150

[algora-pbc]

💎 $150 bounty • Screenpi.pe

Steps to solve:

1. Start working: Comment /attempt #730 with your implementation plan
2. Submit work: Create a pull request including /claim #730 in the PR body to claim the bounty
3. Receive payment: 100% of the bounty is received 2-5 days post-reward. Make sure you are eligible for payouts

Thank you for contributing to mediar-ai/screenpipe!

Add a bounty • Share on socials

Attempt	Started (GMT+0)	Solution
🟢 @neo773		#982

[algora-pbc]

💡 @neo773 submitted a pull request that claims the bounty. You can visit your bounty board to reward.

[joshuaauger]

@neo773
I'm on MacOS, trying to follow the build guide but I don't see any changes in behaviour. What do I need to do to build with your changes?

[joshuaauger]

I see this message from screenpipe-audio, maybe I'm not building correctly:

[2024-12-16T01:53:04Z DEBUG rustls::client::hs] ALPN protocol is None
Error: request error: https://huggingface.co/distil-whisper/distil-large-v3/resolve/main/model.safetensors: Connection Failed: tls connection init failed: invalid peer certificate: UnknownIssuer

Caused by:
    0: https://huggingface.co/distil-whisper/distil-large-v3/resolve/main/model.safetensors: Connection Failed: tls connection init failed: invalid peer certificate: UnknownIssuer
    1: invalid peer certificate: UnknownIssuer

[algora-pbc]

🎉🎈 @neo773 has been awarded $150! 🎈🎊

• Share on socials
• Give feedback

[joshuaauger]

#986

Added a PR, this was required for me to get past the certificate issue, not sure why the patch alone wasn't working, but I needed the features in the workspace dependencies, added the workspace = true to server, and added the feature to core, didn't work without all of the changes

Not sure if anything else broke, need someone to verify PR and do a full test.

[joshuaauger]

@louis030195 let me know if we can run a test build with the changes!

Thanks!

[neo773]

Yes, the issue was other workspace packages had conflicts with feature flags.

I couldn't really test it within screenpipe as I did not have the same setup as you so I tested the changes within my fork of hf-hub and it worked fine .

Seems to be working now.

[joshuaauger]

Awesome!
Thanks for confirming @neo773.

[louis030195]

@joshuaauger @zy31415 is it working now?

[joshuaauger]

It should be once the new build has these. My test build had some other issue unrelated but the certificate warnings were gone. Sent from my iPhoneOn Dec 19, 2024, at 7:33 AM, Louis Beaumont ***@***.***> wrote: @joshuaauger @zy31415 is it working now? —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: ***@***.***>