Package download error reporting hides true cause when redirects are involved #332

New Issue

Open

opened 2025-12-30 01:23:37 +01:00 by adam · 0 comments

adam commented 2025-12-30 01:23:37 +01:00

Owner

Copy Link

Originally created by @HT154 on GitHub (Jul 31, 2025).

I'm working on adopting Pkl 0.29 and HTTP rewrites and ran into an error condition with a misleading message.

Background:

• I'm trying to pull packages via pkg.pkl-lang.org (which redirects to github.com) without connecting to the public internet.
• I have a rewrite from https://github.com/ to https://github.internal/github-releases/
  • This endpoint uses a cert from a publicly trusted CA.
• I have a rewrite from https://pkl.pkl-lang.org to https://pkl.internal/mirror/pkg.pkl-lang.org/
  • This endpoint is using a self-signed cert.
  • My client system has this cert in ~/.pkl/cacerts.
  • This endpoint redirects to the appropriate location under https://github.internal/github-releases/ just like pkl.pkl-lang.org does.

I made the mistake of not explicitly trusting my normal public CA bundle via ~/.pkl/cacerts so attempting to access https://github.internal failed, but the error message was surprising!

bash-5.1$ pkl eval package://pkg.pkl-lang.org/pkl-go/pkl.golang@0.11.0#/go.pkl \
  --http-rewrite https://pkg.pkl-lang.org/=https://pkl.internal/mirror/pkg.pkl-lang.org/ \
  --http-rewrite https://github.com/=https://github.internal/github-releases/
–– Pkl Error ––
Exception when making request `GET https://pkg.pkl-lang.org/pkl-go/pkl.golang@0.11.0`:
Error during SSL handshake with host `pkl.internal`:
unable to find valid certification path to requested target (request was rewritten: https://pkg.pkl-lang.org/pkl-go/pkl.golang@0.11.0 -> https://pkl.internal/mirror/pkg.pkl-lang.org/pkl-go/pkl.golang@0.11.0)

I would expect this error to look something like this:

Exception when making request `GET https://pkg.pkl-lang.org/pkl-go/pkl.golang@0.11.0`:
Error during SSL handshake with host `pkl.internal`:
unable to find valid certification path to requested target
* request was rewritten: https://pkg.pkl-lang.org/pkl-go/pkl.golang@0.11.0 -> https://pkl.internal/mirror/pkg.pkl-lang.org/pkl-go/pkl.golang@0.11.0
* request was redirected: https://pkl.internal/mirror/pkg.pkl-lang.org/pkl-go/pkl.golang@0.11.0 -> https://github.internal/github-releases/apple/pkl-go/releases/download/pkl.golang%400.11.0/pkl.golang@0.11.0

(The handling of ~/.pkl/cacerts being a replacement for the default trust rather than additive is orthogonal to the misleading error message)

Originally created by @HT154 on GitHub (Jul 31, 2025). I'm working on adopting Pkl 0.29 and HTTP rewrites and ran into an error condition with a misleading message. Background: * I'm trying to pull packages via pkg.pkl-lang.org (which redirects to github.com) without connecting to the public internet. * I have a rewrite from https://github.com/ to https://github.internal/github-releases/ * This endpoint uses a cert from a publicly trusted CA. * I have a rewrite from https://pkl.pkl-lang.org to https://pkl.internal/mirror/pkg.pkl-lang.org/ * This endpoint is using a self-signed cert. * My client system has this cert in ~/.pkl/cacerts. * This endpoint redirects to the appropriate location under https://github.internal/github-releases/ just like pkl.pkl-lang.org does. I made the mistake of not explicitly trusting my normal public CA bundle via ~/.pkl/cacerts so attempting to access https://github.internal failed, but the error message was surprising! ```console bash-5.1$ pkl eval package://pkg.pkl-lang.org/pkl-go/pkl.golang@0.11.0#/go.pkl \ --http-rewrite https://pkg.pkl-lang.org/=https://pkl.internal/mirror/pkg.pkl-lang.org/ \ --http-rewrite https://github.com/=https://github.internal/github-releases/ –– Pkl Error –– Exception when making request `GET https://pkg.pkl-lang.org/pkl-go/pkl.golang@0.11.0`: Error during SSL handshake with host `pkl.internal`: unable to find valid certification path to requested target (request was rewritten: https://pkg.pkl-lang.org/pkl-go/pkl.golang@0.11.0 -> https://pkl.internal/mirror/pkg.pkl-lang.org/pkl-go/pkl.golang@0.11.0) ``` I would expect this error to look something like this: ``` Exception when making request `GET https://pkg.pkl-lang.org/pkl-go/pkl.golang@0.11.0`: Error during SSL handshake with host `pkl.internal`: unable to find valid certification path to requested target * request was rewritten: https://pkg.pkl-lang.org/pkl-go/pkl.golang@0.11.0 -> https://pkl.internal/mirror/pkg.pkl-lang.org/pkl-go/pkl.golang@0.11.0 * request was redirected: https://pkl.internal/mirror/pkg.pkl-lang.org/pkl-go/pkl.golang@0.11.0 -> https://github.internal/github-releases/apple/pkl-go/releases/download/pkl.golang%400.11.0/pkl.golang@0.11.0 ``` (The handling of ~/.pkl/cacerts being a replacement for the default trust rather than additive is orthogonal to the misleading error message)

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

release/0.30

srueg/run-format-apply

srueg/format-multiple

srueg/formatter-test-cases

release/0.29

release/0.28

release/0.27

release/0.26

release/0.25

0.30.2

0.30.1

0.30.0

0.29.1

0.29.0

0.28.2

0.28.1

0.28.0

0.27.2

0.27.1

0.27.0

0.26.3

0.26.2

0.26.1

0.26.0

0.25.3

0.25.2

0.25.1

0.25.0

Labels

Clear labels

bug

duplicate

enhancement

good first issue

help wanted

pull-request

Mirrored from GitHub Pull Request

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/pkl#332