cacerts.pem file not being bundled with releases?

[mconigliaro]

Sorry if this isn't the right place for this, but while trying to figure out https://github.com/edgurgel/httpoison/issues/294, I discovered a line in hackney which lead me here:

CACerts = certifi:cacerts()

Then I discovered this line in the certifi code:

filename:join([AppDir, "certs_spec", "cacerts.pem"])

This lead me to believe that a cacerts.pem should exist as part of my release. So I started running find <deploy_dir> -name 'cacerts.pem' on some old (working) instances just to check, and I found a few:

• lib/certifi-1.0.0/priv/cacerts.pem
• lib/certifi-1.1.0/priv/cacerts.pem

However, I noticed these are old versions of certifi, and more recent versions of our apps use 2.0.0. So as an experiment, I ran mix release to build a few of our projects, then I ran tar tf <file> | grep certifi on the resulting .tar.gz files. These are the only certifi files I see:

lib/certifi-2.0.0/ebin/certifi_pt.beam
lib/certifi-2.0.0/ebin/certifi.beam
lib/certifi-2.0.0/ebin/certifi.app

It doesn't look like the cacerts.pem file gets included at all anymore, which would explain my mysterious 'unknown ca' error. Or am I missing something?

[Hinidu]

Hey @mconigliaro! You are right - cacerts.pem is not bundled. Instead it is being read and parsed during compilation. So certifi:cacerts() returns this parsed data. It's a disputable behavior that actually makes programs slower and more memory consuming as I explained in #19. Though I didn't get any response almost for the two months :disappointed:

[mconigliaro]

We gave up and just started using HTTPoison's cacertfile option.