Function :public_key.cacerts_get/0 is undefined or private

I have a mix release application running in a container but it seems to have problems with cacerts. If I run:

docker exec -it 1773f1bd7685 bin/myapp eval ':public_key.cacerts_get()'

I get:

** (UndefinedFunctionError) function :public_key.cacerts_get/0 is undefined or private
    (public_key 1.12.0.2) :public_key.cacerts_get()
    (stdlib 3.17.2.4) erl_eval.erl:685: :erl_eval.do_apply/6
    (elixir 1.16.2) lib/code.ex:572: Code.validated_eval_string/3

What do I need to do in order to have the said function available?

Does it work on your local environment?

Yes, it does

That version of OTP and elixir are you using?

1 Like

Hmm, if you mean whether I use the same locally and on prod then no… On prod I downgraded OTP to 24 due to the TLSv1.3 horror story I encountered and described in other thread. Elixir is the same (1.16.2) though, although I guess that doesn’t matter much in the case at hand

So are you using releases or you build releases on a different host?

I build releases using this “builder” image:

https://hub.docker.com/layers/hexpm/elixir/1.16.2-erlang-24.3.4.17-debian-bookworm-20240423-slim/images/sha256-8ebf7c8b043e1f34d95bf8fa03c82124dc61f8a18a34c88e4edbfed3b64a335a

OTP-24 doesn’t have the cacerts_get/0 in public_key: Erlang -- public_key

1 Like

That explains. Is there some kind of equivalent in 24, maybe?

All the functionality related to CA checks and loading was introduced starting from OTP-25, you can always fetch them manually from the system.

I’m not 100% sure with what downgrading of OTP helps, but if there are specific algorithms that have holes in them, you can always disable them by configuration.

The downgrade was done this morning due to OTP bug introduced in 25 and passed over to 26, which caused critical functionality (email) to suddenly stop working after applying security updates to mail server (sic!)

I see - would you suggest any “proper” way of doing this?

I’m not sure what are you looking for, wouldn’t it be easier to upgrade to OTP-26.2.5+ where this issue was patched?

1 Like

It would but there are no builder images for 26.2.5+ available yet. While I could build my own, setting this up is not a five minutes job. And also I’d rather prefer a “fail-safe” (like working with 24, 25, 26) solution in case I’d have to quickly downgrade again.

More specifically what I want to have is to get rid of the old

Reason: ~c"Option {verify, verify_peer} and cacertfile/cacerts is missing"

warning. While not a critical problem and I lived with it for some time I’d rather have it checked-off while I am still at it.

While I understand this, I am also not very positive that you change versions everyday. I just now noticed that docker builds from hex do not come with specific OTP versions, which is not the greatest thing now that I think about it.

Personally I would take a look at the scripts for building these images and customize one of them for specific elixir and OTP version. I would even be inclined to help you make this into an official feature, as I use docker for almost all of my deploys.

1 Like

I get your concerns but they do seem a bit paranoid. An OTP 26.2.5 image will be up soon enough (if it isn’t already) and that’s the end of the conundrum.

Or indeed make your own Erlang + Elixir Dockerfile as @D4no0 said. Should be maximum 1h of work and you can make the versions configurable.

New OTP versions come with a lot of nice things, JIT and further optimizations included, so staying on old versions should be reserved only in very constrained conditions with very specific requirements IMO.

Those are not the docker builds. However there were some issues resolved today: Missing latest images on docker hubs · Issue #187 · hexpm/bob · GitHub

1 Like

Are you sure? I never used images from hexpm, however from what I understood there are docker images hosted by hexpm and the ones on docker hub.

I don’t. This time I had to though.

They do. You have to look here:

https://hub.docker.com/r/hexpm/elixir/tags

And that’s the easiest way and smallest image sizes. I did custom images before but those are leaner and faster to build “runner” images.

Probably yes so that’s an option to wait a (probably only) a little longer, but…

I do agree. That’s why I had everything running on 26 already for some time. But I got bitten by this very nastily so even if 26.2.5 pops up soon (which I think it will) I shall still be having a very close eye on how it behaves and whether the fix really fixed things and not introduced other problems, etc.

But right, maybe I am a bit too impatient and just wanted to fix all things around this area right away so that I don’t have to return to it later

1 Like

Hex bob does create and host precompiled erlang and elixir packages to download (e.g. used by asdf) for local installations. That‘s the list you looked at. It also builds docker images to much greater granularity, which are hosted on docker hub.

1 Like

Great to know, thanks! I always thought that hexpm has a custom registry where it hosts docker images. If both are hosted on dockerhub then what is the value of having 2 separate repositories?