Unknown CA

[mdillavou]

I am running certifi-2.9.0 and am running into an issue with a specific SSL cert. What is weird, is that it works fine on one host, but fails on another.

I'd prefer not to list the hostname here directly, as it is a customer's private host, but I'd be happy to share it privately.

On my machine running Fedora 35:

Interactive Elixir (1.9.1) - press Ctrl+C to exit (type h() ENTER for help)
iex(1)> certs = :certifi.cacerts()
iex(2)> opts = [{:verify, :verify_peer}, {:server_name_indication, '*.build.abcdef.com'}, {:depth, 99}, {:cacerts, certs}]
iex(3)> :ssl.connect('ssw-d01-lb.build.abcdef.com', 443, opts)
{:ok,
 {:sslsocket, {:gen_tcp, #Port<0.74>, :tls_connection, :undefined},
  [#PID<0.778.0>, #PID<0.777.0>]}}

Running the exact same branch, inside a docker container running alpine linux:

Interactive Elixir (1.9.1) - press Ctrl+C to exit (type h() ENTER for help)
iex(1)> certs = :certifi.cacerts()
iex(2)> opts = [{:verify, :verify_peer}, {:server_name_indication, '*.build.abcdef.com'}, {:depth, 99}, {:cacerts, certs}]
iex(3)> :ssl.connect('ssw-d01-lb.build.abcdef.com', 443, opts)
{:error,
 {:tls_alert,
  {:unknown_ca,
   'TLS client: In state certify at ssl_handshake.erl:1708 generated CLIENT ALERT: Fatal - Unknown CA\n'}}}

What is weird, is every other SSL server I have tried works fine. I am not sure what is special about this server, and why it works on my dev machine, but not in docker with alpine.

[mdillavou]

This appears to be an OTP issues. Updating from otp-22.1 to otp-22.3 resolved the issue for me. I am guessing it is due to this fix in otp-22.2

ssl: Correct handling of unordered chains so that it works as expected

https://www.erlang.org/news/135