rebar3 icon indicating copy to clipboard operation
rebar3 copied to clipboard
verified publisher icon erlang

Downloading from hex.pm fails when behind a proxy which intercepts SSL and needs a custom CA cert

Open winks opened this issue 3 years ago • 2 comments

Version info

-----------------
rebar 3.18.0 on Erlang/OTP 24 Erts 12.2
Operating System: x86_64-pc-linux-gnu
ERTS: Erlang/OTP 24 [erts-12.2] [source] [64-bit] [smp:8:8] [ds:8:8:10] [async-threads:1] [jit]
Root Directory: /opt/erlang/24.2
Library directory: /opt/erlang/24.2/lib
-----------------

Current behaviour

When running rebar3 for the first time after putting

{plugins, [rebar3_hex]}. into ~/.config/rebar3/rebar.config and being behind a proxy which intercepts SSL, you will get an Unknown CA error:

===> Fetching rebar3_hex v7.0.1
=NOTICE REPORT==== 11-Feb-2022::08:34:16.395098 ===
TLS client: In state certify at ssl_handshake.erl:2015 generated CLIENT ALERT: Fatal - Unknown CA

In my case I was running rebar3 hex build but I think I was able to repro it with just running rebar3 without arguments

Expected behaviour

Some means to configure a CA bundle to be added in addition to the defaults. For example this hexpm PR introduced HEX_CACERTS_PATH and this solved the exact same problem on the same machine a few weeks ago.

winks avatar Feb 11 '22 07:02 winks

Ticket was created after I was told to open an issue on #erlang.

After reading the source I think rebar_utils.erl:1045 actually solves this problem, at least adding this to my ~/.config/rebar3/rebar.config seems to have helped:

{ssl_cacerts_path, ["/usr/local/share/ca-certificates/Foo-CA.crt"]}.

So I guess this is simply a documentation "bug" (or my bad) because I did not find anything on the website regarding certificates.

$ DEBUG=1 rebar3 version
===> Load global config file /home/florian/.config/rebar3/rebar.config
===> 24.2 satisfies the requirement for minimum OTP version 18
===> Evaluating config script "/home/florian/.cache/rebar3/plugins/hex_core/rebar.config.script"
===> 24.2 satisfies the requirement for minimum OTP version 19.3
===> Compile (apps)
===> Fetching rebar3_hex v7.0.1
===> Making request to get package rebar3_hex from repo hexpm (#{api_url => <<"https://hex.pm/api">>,name => <<"hexpm">>,
         repo_name => <<"hexpm">>,repo_organization => undefined,
         repo_url => <<"https://repo.hex.pm">>,repo_verify => true,
         repo_verify_origin => true})
===> Downloaded package rebar3_hex, caching at /home/florian/.cache/rebar3/hex/hexpm/packages/rebar3_hex-7.0.1.tar

winks avatar Feb 11 '22 08:02 winks

Yep. THat is correct. We'll probably need to open a PR on the doc site and fix this. Tagging this issue as a documentation issue.

ferd avatar Feb 11 '22 15:02 ferd