SSL certificate look-up problem


I have a small SSL problem that was not happening before (with the same codebase; using now Erlang 25.1 if that matters).

For host verification, I use the following SSL options:

 MatchFun = public_key:pkix_verify_hostname_match_fun( https ),

 [ { verify, verify_peer },
   { cacertfile, "/etc/ssl/certs/ca-certificates.crt" },
   { depth, 3 },
   { customize_hostname_check, [ { match_fun, MatchFun } ] } ]

This /etc/ssl/certs/ca-certificates.crt certificate file exists and must have a legit content:

 $ head /etc/ssl/certs/ca-certificates.crt

Yet my distribution (Arch Linux) defined it that way:

 $ ls -l /etc/ssl/certs/ca-certificates.crt
lrwxrwxrwx 1 root root 49 Sep  5 23:59 /etc/ssl/certs/ca-certificates.crt -> ../../ca-certificates/extracted/tls-ca-bundle.pem

This is a bit unfortunate as it results in:

{error, {failed_connect,
[{to_address, {“”, 443}},
{inet, [inet], {options,
{cacertfile, “…/…/ca-certificates/extracted/tls-ca-bundle.pem”,
{error, enoent}}}}]}}.

I suppose that the problem is that the file entry is read as a relative symlink that gets resolved based on a VM current directory that does not match?

Whose fault is it: Erlang’s ssl module’s one, Arch Linux’s one, mine?

I tried to temporarily fix the issue by overwriting the crt symlink with its pem target (it is a bit risky as the Arch package manager may not like it) but curiously this did not solve the issue (apparently the same error was reported despite the symlink being replaced).
Disabling peer verification worked, but of course this is not a real solution.

Thanks in advance for any hint!

Best regards,


1 Like

Sounds like SSL certificates from relative symbolic links broken since OTP 25.1 · Issue #6328 · erlang/otp · GitHub which should be fixed in the next patch release (or you can cherry-pick it or use current HEAD of maint-25).

1 Like

Thanks Mikael! This sounds indeed to be the cause of this issue. I will then wait until 25.2 and test it (unless an earlier testing would be of use for the maintainers).

1 Like