CaliDog/certstream-server

Authenticity is not established by certificate path validation

Opened this issue · 5 comments

LukaszJagielski commented

Hi

When using certstream-server i got errors:

10:18:54.900 [warn]  Description: 'Authenticity is not established by certificate path validation'                    
     Reason: 'Option {verify, verify_peer} and cacertfile/cacerts is missing'                                         
                                                                                                                      
                                                                                                                      
10:18:54.901 [warn]  Description: 'Authenticity is not established by certificate path validation'                    
     Reason: 'Option {verify, verify_peer} and cacertfile/cacerts is missing'                                         
                                                                                                                      
                                                                                                                      
10:18:54.901 [warn]  Description: 'Authenticity is not established by certificate path validation'                    
     Reason: 'Option {verify, verify_peer} and cacertfile/cacerts is missing'                                         
                                                                                                                      
                                                                                                                      
10:18:54.901 [warn]  Description: 'Authenticity is not established by certificate path validation'                    
     Reason: 'Option {verify, verify_peer} and cacertfile/cacerts is missing'                                         
                                                                                                                      
                                                                                                                      
10:18:54.901 [warn]  Description: 'Authenticity is not established by certificate path validation'                    
     Reason: 'Option {verify, verify_peer} and cacertfile/cacerts is missing'

I installed erlang-dev instead esl-erlang, because esl-erlang can't be install on debian. I don't know if this is normal problem or I missed something.

nikAizuddin commented

I'm having the same issues too with Ubuntu 22.04. But no issues on AlmaLinux 8.5

mzpqnxow commented

You can use this to make the warning go away- it's not the "proper" solution, but it will work

diff --git a/lib/certstream/ct_watcher.ex b/lib/certstream/ct_watcher.ex
index 596f804..a57270b 100644
--- a/lib/certstream/ct_watcher.ex
+++ b/lib/certstream/ct_watcher.ex
@@ -9,7 +9,7 @@ defmodule Certstream.CTWatcher do
   use GenServer
   use Instruments
 
-  @default_http_options [timeout: 10_000, recv_timeout: 10_000, ssl: [{:versions, [:'tlsv1.2']}], follow_redirect: true]
+  @default_http_options [timeout: 10_000, recv_timeout: 10_000, ssl: [{:versions, [:'tlsv1.2']}, verify: :verify_none], follow_redirect: true]
 
   def child_spec(log) do
     %{
Fitblip commented

This likely has to do with your operating system certificate setup, I'd be interested if curl or wget work as expected on your systems.

mzpqnxow commented

This likely has to do with your operating system certificate setup, I'd be interested if curl or wget work as expected on your systems.

They do, believe it or not. Unfortunately I patched and rebuilt with that hacky patch without even thinking to strace it to see what cert bundle it was trying to open :/

If I have some time free I will check

Fitblip commented

Interesting! I know erlang/elixir has had quite a few weird bugs in its SSL stack :-/ I wonder if a different erlang/elixir version would sort it (not a great solution obv, but would help you narrow things down a bit)?