Rebar3 TLS client error - {unexpected_error,{error,{"pkey.c",771}, "Can't EVP_PKEY_CTX_set_signature_md"}}

kuna.prime · July 1, 2025, 2:33pm

Hi, I’m trying to fetch dependencies from our gitlab instance with custom erlang package registry. That all worked until a week ago when i started to get following error on my rebar3 builds

TLS client: In state wait_cert_cr at ssl_handshake.erl:414 generated CLIENT ALERT: Fatal - Internal Error
 - {unexpected_error,{error,{"pkey.c",771},
                            "Can't EVP_PKEY_CTX_set_signature_md"}}

i’m building with:
fedora 42
rebar3 3.25
Erts 16.0.1

things that I have tried and didn’t help:

downgrading versions of rebar3 and/or erlang
changing gitlab token
clearing all caches and full reinstall of rebar3 and OTP

I’m also sure that my certs are fine. So i’m facing bit of a dead end and any help would be appreciated.

Thanks

crownedgrouse · July 1, 2025, 10:33pm

Check openssl version.
Since 3.0.1, by memory, sha1 signature is not anymore accepted even in non FIPS mode.

[EDIT]
Found this : Adding a config option in openssl.cnf to enable SHA-1 signature creation and verification · Issue #17662 · openssl/openssl · GitHub

kuna.prime · July 7, 2025, 1:17pm

in addition:

cat /etc/crypto-policies/back-ends/opensslcnf.config
sudo update-crypto-policies --show
sudo update-crypto-policies --set LEGACY

that was enough for me to resolve a problem completely

thank you @crownedgrouse