We are trying to connect to QuestDB via HTTPS ILP and the certificate is not accepted.
I have investigated it a bit and the problem seems to be the following: questdb-rs crate depends on ureq for HTTP/HTTPS and ureq is using webpki-root , which in turn contains a hard-coded set of CA roots.
In principle, it is possible to pass a feature tag to ureq called native-certs which should make it use CA roots provided with the OS. However, even if I set tls-native-certs feature on questdb-rs crate, it does not enable native certificates.
As a result, we cannot use HTTPS ILP with QuestDB Enterprise using our own CA.
The same problem likely exist if we try to use HTTPS ILP via python API as, as far as I remember, it is built on top of questdb-rs.
What would you recommend?
You might be tempted to disable verification by passing ;tls_verify=unsafe_off on the connection string, but of course that's a very bad idea and would only recommend it for testing on a development environment with a self-signed certificate.
What we can do instead is using the tls_ca parameter, which has multiple values. If we want to accept both the webpki-root plus whatever we have on the OS, we can just pass tls_ca=webpki_and_os_roots and it will work.
In the docs there are also options to support only either of the CA roots, or even to point to a PEM file.