Strange Let's Encrypt`s certificate verification failure (zig 0.15.2)

Hello!

I have just noticed, that below code snippet works only if Let’s Encrypt’s certificate chain is RSA (host) ← RSA (LE) ←RSA (ISRG Root X1) (https://ziglang.org). If the chain is EC ← EC ← RSA (https://www.ar-fi.com), it fails:

zig build run
error: TlsInitializationFailed
/home/ws/tools/zig/build_release_15_3/stage3/lib/zig/std/crypto/tls/Client.zig:791:45: 0x11d29bf in init (zig_snip)
.certificate => return error.TlsCertificateNotVerified,
^
/home/ws/tools/zig/build_release_15_3/stage3/lib/zig/std/http/Client.zig:342:25: 0x112b1ab in create (zig_snip)
) catch return error.TlsInitializationFailed,
^
/home/ws/tools/zig/build_release_15_3/stage3/lib/zig/std/http/Client.zig:1450:24: 0x111b326 in connectTcpOptions (zig_snip)
const tc = try Connection.Tls.create(client, proxied_host, proxied_port, stream);
^
/home/ws/tools/zig/build_release_15_3/stage3/lib/zig/std/http/Client.zig:1408:5: 0x111b5b3 in connectTcp (zig_snip)
return connectTcpOptions(client, .{ .host = host, .port = port, .protocol = protocol });
^
/home/ws/tools/zig/build_release_15_3/stage3/lib/zig/std/http/Client.zig:1583:14: 0x110e3d8 in connect (zig_snip)
} orelse return client.connectTcp(host, port, protocol);
^
/home/ws/tools/zig/build_release_15_3/stage3/lib/zig/std/http/Client.zig:1699:18: 0x1108db1 in request (zig_snip)
break :c try client.connect(host_name, uriPort(uri, protocol), protocol);
^
/home/ws/tools/zig/build_release_15_3/stage3/lib/zig/std/http/Client.zig:1789:15: 0x1103fe4 in fetch (zig_snip)
var req = try request(client, method, uri, .{
^
/home/ws/p/zig-snip/src/main.zig:20:22: 0x110379e in main (zig_snip)
const response = try client.fetch(.{
^
run
± run exe zig_snip failure
error: the following command exited with error code 1:
/home/ws/p/zig-snip/zig-out/bin/zig_snip

Build Summary: 3/5 steps succeeded; 1 failed
run transitive failure
± run exe zig_snip failure

error: the following build command failed with exit code 1:
.zig-cache/o/38297ce60136dea2b2c5c20231adfba8/build /home/ws/tools/zig/build_release_15_3/stage3/bin/zig /home/ws/tools/zig/build_release_15_3/stage3/lib/zig /home/ws/p/zig-snip .zig-cache /home/ws/.cache/zig --seed 0xed0127a4 -Z0ab0dc7b672c0d39 run

Compilation exited abnormally with code 1 at Thu Dec 18 13:59:05, duration 0.72 s

triggering code:

const std = @import(“std”);
const http = std.http;

pub fn main() !void {
var gpa = std.heap.GeneralPurposeAllocator(.{}){};
const allocator = gpa.allocator();

var client = http.Client{ .allocator = allocator };
defer client.deinit();

// const url = "https://ziglang.org";
const url = "https://www.ar-fi.com";

const file = try (try std.fs.openDirAbsolute("/tmp", .{})).createFile("dl.stuff", .{ .mode = 0o777, .truncate = true });
defer file.close();

var wr_buf: [64]u8 = undefined;
var writer = file.writer(&wr_buf);

const response = try client.fetch(.{
    .location = .{ .url = url },
    .redirect_behavior = .not_allowed,
    .method = .GET,
    .response_writer = &writer.interface,
});

std.debug.assert(response.status == .ok);
try writer.interface.flush();

}

Is this a well known issue, or something new?

There are a few issues around certificates:

Not sure if any of those directly address you issue. If not, you may want to look at opening an issue on codeberg.

So I ran this through a Debugger, and it is failing on this line: To 1024+ bytes to prevent IE from showing its internal.
It looks like the client is not responding correctly to the TLS handshake.
I tried it with curl as well, and curl also errors:

curl: (60) SSL certificate problem: unable to get local issuer certificate