Publish New Release for Updated CA-Bundle

[DerTim1]

We are using a self hosted hex-pm mirror, using DigiCert, Inc.", CN = GeoTrust G5 TLS RSA4096 SHA384 2022 CA1 as TLS Root Certificate Authority.

This cert was added recently to ca-bundle.crt, but not yet published as new Hex version.

Can a new version be published?

Otherwise we are running into this error during mix deps.get:

Request failed ({:failed_connect, [{:to_address, {~c"dev.***.de", 443}}, {:inet, [:inet], {:tls_alert, {:unknown_ca, ~c"TLS client: In state certify at ssl_handshake.erl:2133 generated CLIENT ALERT: Fatal - Unknown CA\n"}}}]})

Workaround

If someone else is facing this issue, as workaround you can do something like

HEX_CACERTS_PATH=/etc/ssl/certs/ca-certificates.crt mix deps.get

using the operating system certificate bundle. You can do this permanently with

mix hex.config cacerts_path /etc/ssl/certs/ca-certificates.crt

[yasuf]

has anyone been able to find a workaround on macOS for this one?

[DerTim1]

@yasuf Untested, but something like this should work:

brew install openssl # maybe libressl works too
mix hex.config cacerts_path /opt/homebrew/etc/ca-certificates/cert.pem

[wojtekmach]

You can also use hex main: mix archive.install github hexpm/hex

[ericmj]

We are planning to do a new release soon. For now the workarounds commented above will work.