CA Certificates & OTP 26
maennchen opened this issue · 3 comments
maennchen commented
Description
Starting from OTP 26, a safe default is assumed for most TLS connections.
Most places (like httpc
) call public_key:cacerts_get()
internally. This will produce a crash:
** exception error: no match of right hand side value {error,enoent}
in function pubkey_os_cacerts:get/0 (pubkey_os_cacerts.erl, line 38)
(Better Error message incoming with erlang/otp#7302)
That crash is on purpose and OTP just expects there to be certificates. (See docs: https://www.erlang.org/doc/man/public_key.html#cacerts_get-0)
I therefore think that we should consider a cacertbundle to be a required dependency of OTP and install it in every image.
(apt-get install -y ca-certificates
in debian images)
Reproduction
$ docker run -ti hexpm/erlang:26.0-debian-bullseye-20230227-slim erl -eval 'public_key:cacerts_get().'
Erlang/OTP 26 [erts-14.0] [source] [64-bit] [smp:8:8] [ds:8:8:10] [async-threads:1] [jit:ns]
Error! Failed to eval: public_key:cacerts_get().
Runtime terminating during boot ({{badmatch,{error,enoent}},[{pubkey_os_cacerts,get,0,[{_},{_}]},{erl_eval,do_apply,7,[{_},{_}]},{init,start_it,1,[]},{init,start_em,1,[]},{init,do_boot,3,[]}]})
Crash dump is being written to: erl_crash.dump...done
ericmj commented
Yes 👍
Can you send a PR?