What is the best way to connect to an api that has a bad certificate? I am new to Elixir and was trying for my first project to rewrite a tool I use to give a base config to firewalls. As these firewalls haven’t been configured yet all they have is a self signed certificate.
I tried the following:
{:ok, conn} = Mint.HTTP.connect(:https, "192.168.168.168", 4430, transport_opts: [verify: :verify_none])
But errors out with:
** (exit) exited in: :gen_statem.call(#PID<0.225.0>, {:start, 30000}, :infinity)
** (EXIT) an exception was raised:
** (CaseClauseError) no case clause matching: {:error, {:asn1, {
{:invalid_choice_tag, {22, "US"}},
[{:"OTP-PUB-KEY", :"dec_OTP-X520countryname", 2, [file: ~c"../src/OTP-PUB-KEY.erl", line: 17797]},
{:"OTP-PUB-KEY", :decode, 2, [file: ~c"../src/OTP-PUB-KEY.erl", line: 1233]},
{:pubkey_cert_records, :transform, 2, [file: ~c"pubkey_cert_records.erl", line: 65]},
{:lists, :map, 2, [file: ~c"lists.erl", line: 1559]},
{:pubkey_cert_records, :transform, 2, [file: ~c"pubkey_cert_records.erl", line: 92]},
{:pubkey_cert_records, :decode_tbs, 1, [file: ~c"pubkey_cert_records.erl", line: 330]},
{:pubkey_cert_records, :decode_cert, 1, [file: ~c"pubkey_cert_records.erl", line: 42]},
{:public_key, :pkix_decode_cert, 2, [file: ~c"public_key.erl", line: 522]}]}}}
(public_key 1.14.1) pubkey_cert_records.erl:65: :pubkey_cert_records.transform/2
(stdlib 5.1.1) lists.erl:1559: :lists.map/2
(public_key 1.14.1) pubkey_cert_records.erl:92: :pubkey_cert_records.transform/2
(public_key 1.14.1) pubkey_cert_records.erl:330: :pubkey_cert_records.decode_tbs/1
(public_key 1.14.1) pubkey_cert_records.erl:42: :pubkey_cert_records.decode_cert/1
(public_key 1.14.1) public_key.erl:522: :public_key.pkix_decode_cert/2
(public_key 1.14.1) public_key.erl:1105: :public_key.pkix_subject_id/1
(ssl 11.0.3) tls_handshake_1_3.erl:838: :tls_handshake_1_3.split_cert_entries/4
(stdlib 5.1.1) gen.erl:246: :gen.do_call/4
(stdlib 5.1.1) gen_statem.erl:905: :gen_statem.call/3
(ssl 11.0.3) ssl_gen_statem.erl:1323: :ssl_gen_statem.call/2
(ssl 11.0.3) ssl_gen_statem.erl:253: :ssl_gen_statem.handshake/2
(ssl 11.0.3) ssl_gen_statem.erl:222: :ssl_gen_statem.connect/8
(ssl 11.0.3) ssl.erl:631: :ssl.connect/4
(mint 1.5.1) lib/mint/core/transport/ssl.ex:342: Mint.Core.Transport.SSL.connect/4
iex:1: (file)
The certificate in question looks like
>openssl x509 -inform pem -noout -text -in .\192.168.168.168.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
33:53:ba:3b:ce:a9:9e:68:b0:83:09:64:73:30:4b:7f:4f:4e:b8:b2
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = California, L = Sunnyvale, O = HTTPS Management Certificate for SonicWALL (self-signed), OU = HTTPS Management Certificate for SonicWALL (self-signed), CN = 192.168.168.168
Validity
Not Before: Jan 1 00:00:01 1970 GMT
Not After : Jan 19 03:14:07 2038 GMT
Subject: C = US, ST = California, L = Sunnyvale, O = HTTPS Management Certificate for SonicWALL (self-signed), OU = HTTPS Management Certificate for SonicWALL (self-signed), CN = 192.168.168.168
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00...
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
3a...
Nothing in that jumps out as terribly wrong to me. I was under the impression that :verify_none should skip any certificate checks. I’m not sure what else to try. That same Mint command works with self-signed.badssl.com. Any help would be appreciated. Thank you.