Closed mconigliaro closed 6 years ago
Hey @mconigliaro!
You are right - cacerts.pem
is not bundled. Instead it is being read and parsed during compilation. So certifi:cacerts()
returns this parsed data.
It's a disputable behavior that actually makes programs slower and more memory consuming as I explained in #19. Though I didn't get any response almost for the two months :disappointed:
We gave up and just started using HTTPoison's cacertfile
option.
Sorry if this isn't the right place for this, but while trying to figure out https://github.com/edgurgel/httpoison/issues/294, I discovered a line in hackney which lead me here:
Then I discovered this line in the certifi code:
This lead me to believe that a
cacerts.pem
should exist as part of my release. So I started runningfind <deploy_dir> -name 'cacerts.pem'
on some old (working) instances just to check, and I found a few:lib/certifi-1.0.0/priv/cacerts.pem
lib/certifi-1.1.0/priv/cacerts.pem
However, I noticed these are old versions of certifi, and more recent versions of our apps use 2.0.0. So as an experiment, I ran
mix release
to build a few of our projects, then I rantar tf <file> | grep certifi
on the resulting.tar.gz
files. These are the only certifi files I see:It doesn't look like the
cacerts.pem
file gets included at all anymore, which would explain my mysterious 'unknown ca' error. Or am I missing something?