Mutual TLS authentication

ngscheurich · December 10, 2020, 8:07pm

Anyone here have experience with getting mutual TLS authentication working with an Elixir HTTP client?I have a CA file, certificate, and private key that work in a few other contexts with the request am trying to make:

In Postman, using the built-in “Certificates” feature
With curl, using --capath, --cert, and --key
In Node.js, using the request-promise library

In terms of Elixir, I’ve tried with HTTPoison and Mint, setting the :ssl and :transport_opts options, respectively, to:

[
  certfile: @certfile,
  keyfile: @keyfile,
  cacertfile: @cacertfile
]

Mint times out on connect/4 and HTTPoison sends the request, which the server rejects.The relevant information I can extract from the 400 response that HTTPoison gets me is “400 The SSL certificate error”—not very helpful. I’ve reached out to the support team for the API I am working with, but I was hoping you folks might have some insight in the interim.

Thanks in advance!

tangui · December 10, 2020, 8:22pm

Maybe you can give a try with :httpc, after setting the verbose option of set_options/1 to one of verbose, debug or trace. You should get detailed log messages.

You can look in APIacAuthMTLS tests how to use it.

Meanwhile, are you using the public X509 infrastructure at both ends, or privately generated certs? In the latter case, are you sure they’ve added your cert (or cert root) to their CA file?

ngscheurich · December 10, 2020, 8:29pm

Thanks for the tip, @tangui—I’ll have a go with verbose :httpc and report back.

The cert I’m testing with is a Let’s Encrypt certificate generated with certbot, so I think I’m okay as far as having a known CA, especially given the fact that the request works using other HTTP tools, e.g. curl.

davemenninger · May 29, 2021, 1:42am

I’ve gotten it to work with HTTPoison, something like this: