-
Notifications
You must be signed in to change notification settings - Fork 428
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ssl certificate verification failing for a _valid_ cert #240
Comments
i have the same issue on Erlang 18. I checked and one of the certificate at least is in the list of supported certificate so not sure what is happening for now. Working on it anyway. |
It seems related to Erlang or maybe to our certificate file (but that one should be the same than the one in curl... :
|
I had a similar problem. The solution was to change in public_key to %%================================ Method = post,URL = <<"https://rest-api.pay.nl/v5/Transaction/start/json">>,Headers = [],Payload = <<>>,Options = [],{ok, StatusCode, RespHeaders, ClientRef} = hackney:request(Method, URL,Headers, Payload,Options). =INFO REPORT==== 18-Sep-2015::14:45:15 === =INFO REPORT==== 18-Sep-2015::14:45:15 === {ok,400, Sorry for my English :) |
@benoitc I'm also running into the aforementioned issue, this time with the cert from https://registry.npmjs.com |
@terinjokes afaik one of the root certificate is expired which cause the issue. For no there is no hope in the current released version of Erlang. Hopefully it will be solved with the latest patch in Erlang that landed on the ml. |
I am running into this issue, albeit through Elixir's HTTPoison library. Error: ** (HTTPoison.Error) {:tls_alert, 'bad certificate'} |
Is there a anyway to fix this besides passing the |
I'm having the same issue, here's another example, the server cert should be valid: ➔ erl -pa ebin -pa deps/*/ebin
Erlang/OTP 18 [erts-7.3] [source] [64-bit] [smp:4:4] [async-threads:10] [hipe] [kernel-poll:false] [dtrace]
Eshell V7.3 (abort with ^G)
1> hackney:start().
ok
2> Method = get,
2> URL = <<"https://qoolife.com">>,
2> Headers = [],
2> Payload = <<>>,
2> Options = [],
2> {ok, StatusCode, RespHeaders, ClientRef} = hackney:request(Method, URL, Headers, Payload, Options).
=ERROR REPORT==== 4-Aug-2016::19:29:33 ===
SSL: certify: ssl_handshake.erl:1476:Fatal error: bad certificate
** exception error: no match of right hand side value {error,{tls_alert,"bad certificate"}} |
Any update on this? I am running into this as well. iex(1)> :hackney.start()
:ok
iex(2)> :hackney.request(:get, "https://oauth.withings.com", [], "", [])
{:error, {:tls_alert, 'bad certificate'}}
[error] SSL: :certify: ssl_handshake.erl:1509:Fatal error: bad certificate
iex(3)> :hackney.request(:get, "https://oauth.withings.com", [], "", [insecure: true])
{:ok, 302,
[{"Server", "nginx"}, {"Date", "Mon, 12 Sep 2016 07:52:27 GMT"},
{"Content-Type", "text/html"}, {"Content-Length", "0"},
{"Connection", "keep-alive"}, {"X-Powered-By", "Banana Pi"},
{"Set-Cookie",
"lang_select_language=en; expires=Wed, 12-Sep-2018 07:52:27 GMT; path=/"},
{"Location", "http://oauth.withings.com/en/account/dashboard"},
{"Vary", "Accept-Encoding"}], #Reference<0.0.4.182>}
|
@aeons your issue is not related. In your case hackney is connecting via https to https://oauth.withings.com and then get in return an absolute url using http instead of https (which should be, the behaviour of @jaimeiniesta well the handshakingof the server is not good: Actually this is the order of one of the certificates that is preventing the handcheck to complete. As far as I know thre is no way to reorder the chain right now. Maybe it changed in Erlang 19. I will check. |
Oh man, I didn't even notice that. That is horrible. Thanks for looking into it. EDIT: Actually, that redirect is only because I shortened the url. With the full url it looks like this: iex(1)> :hackney.start()
:ok
iex(2)> :hackney.request(:get, "https://oauth.withings.com/account/request_token", [], "", [])
{:error, {:tls_alert, 'bad certificate'}}
[error] SSL: :certify: ssl_handshake.erl:1509:Fatal error: bad certificate
iex(3)> :hackney.request(:get, "https://oauth.withings.com/account/request_token", [], "", [insecure: true])
{:ok, 200,
[{"Server", "nginx"}, {"Date", "Mon, 12 Sep 2016 11:40:34 GMT"},
{"Content-Type", "text/html"}, {"Content-Length", "48"},
{"Connection", "keep-alive"}, {"X-Powered-By", "Banana Pi"},
{"Set-Cookie",
"lang_select_language=en; expires=Wed, 12-Sep-2018 11:40:34 GMT; path=/"},
{"Vary", "Accept-Encoding"}], #Reference<0.0.1.125>}
|
However, https://www.ssllabs.com/ssltest/analyze.html?d=oauth.withings.com , shows Could that be the cause? |
Erlang master has fixed some of the above SSL issues. https://qoolife.com and https://rest-api.pay.nl work fine now. oauth.withings still gives me errors, it will probably work when the chain is corrected. |
MaxCDN have the incorrect chain order problem when you try to pull https://www.maxcdn.com/one/assets/ips.txt (SSL Labs) |
Not recommended but: |
Hello! We're having a similar problem on Erlang 20 with Ubuntu 16.04, current OSX and current Alpine Linux. hackney:request(get, <<"https://airbrake.io/">>, [], <<"">>, []).
% => {error, {tls_alert, "bad certificate"}} The cert seems to be OK https://www.ssllabs.com/ssltest/analyze.html?d=airbrake.io Is there a know problem or fix here? We're not sure how to proceed. Thanks, |
@ipil as reported above the chain order is not OK which is an issue with the Erlang implementation. However it would be better if airbrake could fix their certificate in the mean time , as fixing the order is somehow hackish. Using |
Sorry as reported in #490 . I'm closing this issue in favour of the last one since it's the same. |
Ah! I misread the report. Thank you for your help and your super speedy reply :) |
Hi there,
Using :
Results into an error :
While curl verification shows the cert is actually valid :
The text was updated successfully, but these errors were encountered: