hackney icon indicating copy to clipboard operation
hackney copied to clipboard
verified publisher icon benoitc

Globally add certificate

Open mensinda opened this issue 4 months ago • 2 comments

Hi,

is there a way for an end user to globally add a ca certificate (without editing the code of an application)?

I don't know erlang / elixr but I have an app I want to get working. Basically I have a docker image and have updated the system certs (/etc/ssl/certs/ca-certificates.crt) and also set the SSL_CERT_FILE env variable. However, this had no effect.

Looking at the error message, there seems to be the HTTPoison module involved, which, if I understand this correctly, uses hackney for SSL stuff.

Looking at the README I have also tried manually patching the /opt/accent/lib/certifi-2.15.0/priv/cacerts.pem file, but this also had no effect. Do I undestand the certifi_pt correctly, that it injects the cacerts.pem at compile time into the module?

So, is there some way as an end-user to globally add a ca cert without having to ask every single library and application to add support for manually specifying a custom ca cert bundle?

mensinda avatar Sep 01 '25 15:09 mensinda

So, after much trial and error I found a "solution":

  1. fork certifi
  2. Create a new branch and add your root certs into a new certs directory
  3. Run the following script:
#!/bin/bash

cd "$(dirname "$0")"

curl -#fSlo tmp-cacerts.pem https://mkcert.org/generate/
cat tmp-cacerts.pem certs/*.crt > priv/cacerts.pem
rm tmp-cacerts.pem
  1. Push the changes
  2. Add the following line to the deps in the mix.exs of the app you want to use
{:certifi, git: "<insert the https git URL of your fork here>", ref: "<your branch name>", override: true},
  1. Rebuild / package / docker build the app

However, I wouldn't really call this a solution. I tried to understand the erlang / elixir code to the best of my abilities and I didn't find a better solution.

If I understand it correctly, hackney uses the at compile time embedded certs from certifi here in the defaults with cacerts. This is why overriding / editing the installed cacerts.pem doesnt't work, and the module must be recompiled.

Did I miss something here? Would it be possible to add support for the SSL_CERT_FILE environment variable, so that, when it is set / non empty, the specified file will be used instead of the bundled certifi certs?

mensinda avatar Sep 02 '25 08:09 mensinda

if you don't want to use the certifiat of certificate why not pass simply your ssl options ?

benoitc avatar Oct 27 '25 10:10 benoitc