Mutual TLS authentication

Anyone here have experience with getting mutual TLS authentication working with an Elixir HTTP client?I have a CA file, certificate, and private key that work in a few other contexts with the request am trying to make:

  • In Postman, using the built-in “Certificates” feature
  • With curl, using --capath, --cert, and --key
  • In Node.js, using the request-promise library

In terms of Elixir, I’ve tried with HTTPoison and Mint, setting the :ssl and :transport_opts options, respectively, to:

  certfile: @certfile,
  keyfile: @keyfile,
  cacertfile: @cacertfile

Mint times out on connect/4 and HTTPoison sends the request, which the server rejects.The relevant information I can extract from the 400 response that HTTPoison gets me is “400 The SSL certificate error”—not very helpful. I’ve reached out to the support team for the API I am working with, but I was hoping you folks might have some insight in the interim.

Thanks in advance!

Maybe you can give a try with :httpc, after setting the verbose option of set_options/1 to one of verbose, debug or trace. You should get detailed log messages.

You can look in APIacAuthMTLS tests how to use it.

Meanwhile, are you using the public X509 infrastructure at both ends, or privately generated certs? In the latter case, are you sure they’ve added your cert (or cert root) to their CA file?

Thanks for the tip, @tangui—I’ll have a go with verbose :httpc and report back.

The cert I’m testing with is a Let’s Encrypt certificate generated with certbot, so I think I’m okay as far as having a known CA, especially given the fact that the request works using other HTTP tools, e.g. curl.

I’ve gotten it to work with HTTPoison, something like this: