TLS failure installing phoenix behind proxy

soasada · September 29, 2022, 8:27am

Hi,

I tried to install Elixir + Phoenix in my work laptop (Macbook pro) which is connected to the internet behind the VPN of the company.

Steps executed:

brew update
brew install elixir

The elixir version installed:

elixir -v
Erlang/OTP 25 [erts-13.1] [source] [64-bit] [smp:12:12] [ds:12:12:10] [async-threads:1] [jit:ns] [dtrace]

Elixir 1.14.0 (compiled with Erlang/OTP 25)

After that, I tried to installed phoenix:

mix local.hex

And then when I tried to install phx.new I got the following error:

mix archive.install hex phx_new

10:06:07.413 [notice] TLS :client: In state :certify at ssl_handshake.erl:2098 generated CLIENT ALERT: Fatal - Unknown CA

Failed to fetch record for 'hexpm/phx_new' from registry (using cache instead)
{:failed_connect, [{:to_address, {'repo.hex.pm', 443}}, {:inet, [:inet], {:tls_alert, {:unknown_ca, 'TLS client: In state certify at ssl_handshake.erl:2098 generated CLIENT ALERT: Fatal - Unknown CA\n'}}}]}
** (Mix) No package with name phx_new (from: mix.exs) in registry

I tried to disconnect to the VPN and same error happened. Does someone knows how to fix this?

hst337 · September 29, 2022, 10:15am

You can try to debug it with the command like this
openssl s_client -state -connect repo.hex.pm:443

I can see this

subject=CN = repo.hex.pm
issuer=C = BE, O = GlobalSign nv-sa, CN = GlobalSign Atlas R3 DV TLS CA 2022 Q3

voltone · September 29, 2022, 2:47pm

The most likely explanation is that your employer is using some sort of intercepting proxy. In order to intercept TLS traffic it presents a substitute server certificate for the domain you’re trying to connect to, repo.hex.pm in this case, issued by a private CA that the laptop is configured to accept.

If the interception is enabled by setting HTTP_PROXY or HTTPS_PROXY in your shell (check by running set | grep PROXY) then you may be able to disable it for Hex by clearing these env vars.

If you feel the interception is legit, and you know where this trust store with this private CA certificate lives, you can tell Hex to use that trust store instead of its default.

If all else fails, and only if you use Hex only for fetching public packages (in other words, you don’t use any authenticated APIs) you can disable certificate verification by Hex altogether.

To learn how to change these settings, using environment variables or permanently using mix hex.config KEY VALUE, run mix help hex.config, and look for these:

  • unsafe_https - If set to true Hex will not verify HTTPS certificates.
    Can be overridden by setting the environment variable HEX_UNSAFE_HTTPS
    (Default: false)
[..]
  • cacerts_path - Path to the CA certificate store PEM file. If not set, a
    CA bundle that ships with Hex is used. Can be overridden by setting the
    environment variable HEX_CACERTS_PATH. (Default: nil)

soasada · October 11, 2022, 9:12am

Hi, I’m sorry for the late response.

Yes, basically is this, I didn’t know but seems like a software installed in my laptop is in the middle of the TLS traffic, it’s called Netskope.

I’m going to try all that you said and let you know. Thanks

soasada · October 11, 2022, 9:34am

Finally I opted to disable certificate verification by Hex with the following command:

mix hex.config unsafe_https true

RoyalMist · October 8, 2023, 7:25pm

This works also : export HEX_CACERTS_PATH=/Library/Application\ Support/Netskope/STAgent/data/nscacert.pem