Connecting the Rust client to the Genesys Cloud BYOC edge endpoint for the notification API stream keeps hitting TLS handshake failures when using the internal CA bundle, while the public endpoint works fine. The logs show a certificate verify failed error. The custom root CA isn’t trusted by the rustls backend, even though it’s validating correctly in OpenSSL.
Client::builder()
.use_preconfigured_tls(config)
.build(url)
.await
.unwrap_err(); // error: certificate verify failed
let mut store = RootCertStore::empty();
store.add_parsable_certificates(&CUSTOM_CA_BUNDLE);
The CUSTOM_CA_BUNDLE env var usually points to DER. rustls doesn’t accept that. You’ll need to convert it to PEM_FORMAT before loading. Also hardcode NOTIFICATION_API_ENDPOINT to the exact BYOC host for /api/v2/analytics/queues/realtime. The TLS_CHAIN drops silently when intermediates are missing. Just curl the endpoint first.
tried forcing pem decode via ring but the handshake still bombs on the byoc host. i don’t think it’s just the format. does the token endpoint need explicit sni config? here’s my test call:
curl -v --cacert custom.pem https://byoc-host/api/v2/oauth/token
wondering if the intermediate is missing.