I am trying to fetch some images from some websites for a small hobby project, it works mostly, but for some I get this weird error:
iex(1)> HTTPoison.get!("https://www.spiele-offensive.de/gfx/1019142.gif")
[info] TLS :client: In state :certify at ssl_handshake.erl:1764 generated CLIENT ALERT: Fatal - Certificate Expired
** (HTTPoison.Error) {:tls_alert, {:certificate_expired, 'TLS client: In state certify at ssl_handshake.erl:1764 generated CLIENT ALERT: Fatal - Certificate Expired\n'}}
(httpoison 1.7.0) lib/httpoison.ex:128: HTTPoison.request!/5
If I open the page in Firefox, the certificate looks valid and has a expiry date way in the future. This is only a problem on some https pages, most I tried work.
Can someone help me debug this?
Thanks!
Looks like server cert chain contains expired AddTrust cert,
$ openssl s_client -servername www.spiele-offensive.de -connect www.spiele-offensive.de:443
---
Certificate chain
0 s:OU = Domain Control Validated, OU = PositiveSSL, CN = www.spiele-offensive.de
i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
1 s:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
2 s:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
i:C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
---
See this issue for more details: https://github.com/benoitc/hackney/issues/633
1 Like
Thanks for this hint. I digged a bit more and after the next release of certifi this will be fixed : https://github.com/certifi/erlang-certifi/pull/40
