Hi,
I have a small SSL problem that was not happening before (with the same codebase; using now Erlang 25.1 if that matters).
For host verification, I use the following SSL options:
MatchFun = public_key:pkix_verify_hostname_match_fun( https ),
[ { verify, verify_peer },
{ cacertfile, "/etc/ssl/certs/ca-certificates.crt" },
{ depth, 3 },
{ customize_hostname_check, [ { match_fun, MatchFun } ] } ]
This /etc/ssl/certs/ca-certificates.crt certificate file exists and must have a legit content:
$ head /etc/ssl/certs/ca-certificates.crt
# ACCVRAIZ1
-----BEGIN CERTIFICATE-----
MIIH0zCCBbugAwIBAgIIXsO3pkN/pOAwDQYJKoZIhvcNAQEFBQAwQjESMBAGA1UE
AwwJQUNDVlJBSVoxMRAwDgYDVQQLDAdQS0lBQ0NWMQ0wCwYDVQQKDARBQ0NWMQsw
CQYDVQQGEwJFUzAeFw0xMTA1MDUwOTM3MzdaFw0zMDEyMzEwOTM3MzdaMEIxEjAQ
Yet my distribution (Arch Linux) defined it that way:
$ ls -l /etc/ssl/certs/ca-certificates.crt
lrwxrwxrwx 1 root root 49 Sep 5 23:59 /etc/ssl/certs/ca-certificates.crt -> ../../ca-certificates/extracted/tls-ca-bundle.pem
This is a bit unfortunate as it results in:
{error, {failed_connect,
[{to_address, {“acme-v02.api.letsencrypt.org”, 443}},
{inet, [inet], {options,
{cacertfile, “…/…/ca-certificates/extracted/tls-ca-bundle.pem”,
{error, enoent}}}}]}}.
I suppose that the problem is that the file entry is read as a relative symlink that gets resolved based on a VM current directory that does not match?
Whose fault is it: Erlang’s ssl module’s one, Arch Linux’s one, mine?
I tried to temporarily fix the issue by overwriting the crt symlink with its pem target (it is a bit risky as the Arch package manager may not like it) but curiously this did not solve the issue (apparently the same error was reported despite the symlink being replaced).
Disabling peer verification worked, but of course this is not a real solution.
Thanks in advance for any hint!
Best regards,
Olivier.