The server is saying it can’t accept your client certificate because it cannot build a trust chain to a trusted root CA. I’m guessing the p12 file contains not just an end certificate, but also one or more intermediate CAs. The server is expecting you to send the full chain, but in your current configuration only the end certificate is sent.
The challenge here is that Erlang’s :ssl application uses the cacerts / cacertfile option both as the local trust store (the root CA certificates it checks the server certificate against) and as a pool of intermediate CAs that may be sent with the client certificate. What’s more, HTTPoison (or rather Hackney) will set cacerts to its CA trust store, but only if you didn’t specify any ssl options of your own. Since you want to set a client certificate, you need to pass in a bunch of extra options to enable server certificate verification, or you’ll be susceptible to MitM attacks. See [here]https://erlef.github.io/security-wg/secure_coding_and_deployment_hardening/ssl and here for details.
The simplest way to get this working is to find out what is the root CA you need to talk to Apple, and put it in a file together with any intermediate CAs from the p12 file. Then add verify: :verify_peer, cacertfile: <path-to-your-new-file>, ... to the ssl options.
If you don’t want to pin the connection to one root CA, you could load the intermediate certificates into memory in DER format, and then pass verify: :verify_peer, cacertfile: [int_ca1_der, int_ca2_der | :certifi.cacert().
