TLS :server: In state :certify received CLIENT ALERT: Fatal - Certificate Unknown

fireproofsocks · November 8, 2022, 10:39pm

I’m trying to set up a self-signed certificate for a Phoenix app, but I’m getting log messages about “TLS :server: In state :certify received CLIENT ALERT: Fatal - Certificate Unknown”. I know others have posted about this, but I couldn’t seem to make things work following those posts.

I added a custom domain in /etc/hosts,

127.0.0.1       my-app.local

and then I created the self-signed certs: mix phx.gen.cert my-app my-app.local

Then I arranged my runtime.exs config to something like this:

config :my_app, MyAppWeb.Endpoint,
  url: [host: env!("PHX_HOST", :string)],
  https:[
      port: env!("PHX_PORT", :integer),
      cipher_suite: :strong,
      otp_app: :my_app,
      keyfile: env!("PHX_SSL_KEY_PATH", :string),
      certfile: env!("PHX_SSL_CERT_PATH", :string)
  ],
  force_ssl: [rewrite_on: [:x_forwarded_proto], host: nil],
  secret_key_base: env!("PHX_SECRET_KEY_BASE", :string)

I’m using dotenvy for the config values, but the above should be readable… host name is my-app.local, port is 4000, etc… but when I run mix phx.server, I get the dreaded CLIENT ALERT error:

17:26:05.108 module=ssl_alert function=decode/3 [notice] TLS :server: In state :certify received CLIENT ALERT: Fatal - Certificate Unknown

I tried following a similar post TLS error in dev (with self-signed certificates) and its link to APIacAuthMTLS — apiac_auth_mtls v1.0.0 but I wasn’t clear on how to integrate that with the :https config… I tried adding keys for :verify and :verify_fun to my https options (along with the function definitions):

verify: :verify_peer,
verify_fun: {&MyApp.verify_fun_selfsigned_cert/3, []}

but that didn’t seem to have any affect.

The other thing that might be relevant here is that when I serve the site locally over SSL, the first request is very slow – it takes maybe 15 or 20 seconds to get a response (with the TLS info). After that first request, things seem to work normally.

Might this be something to do with the version of Erlang?

Erlang/OTP 24 [erts-12.1.5] [source] [64-bit] [smp:10:10] [ds:10:10:10] [async-threads:1]
Elixir 1.13.4 (compiled with Erlang/OTP 24)

Any ideas appreciated!

voltone · November 9, 2022, 10:17am

This error indicates a client tried to connect but refused to complete the TLS handshake because it didn’t trust the server’s certificate. This is expected: when using a self-signed certificate you should disable certificate validity checks in the client. Your server configuration is fine, it is working as expected, and no amount of parameter tuning is going to make a difference.

What to do on the client side depends on the client you are using. With curl you can pass the -k parameter, for instance, so curl -k https://my-app.local/ should succeed.

fireproofsocks · November 9, 2022, 12:45pm

Yep, you are right: this succeeds. I enabled chrome://flags/#allow-insecure-localhost on Chrome, but it that doesn’t seem to have an effect. I am assuming the slow response time I’m seeing in Chrome is because the handshake is taking a while to fail. Are there other settings that can be adjusted in the browser?

voltone · November 9, 2022, 1:00pm

This setting only applies when using “localhost” as the hostname. As I understand it, you are using a custom hostname instead.

Different browsers have different ways for allowing users to proceed when connecting to a site with an untrusted or invalid certificate. Some may not allow it altogether. I would recommend you try with different browsers until you find one that works for you.

blackham · June 9, 2023, 2:36pm

And if you don’t have access to all the clients;
and use Javascript’s copy and paste feature which requires an https connection
and just want this error to go away…

Drop this in to your config file (/config/dev.exs or whatever you like)

Logger.put_module_level(:ssl_alert, :error)