Unable to install mix in OTP 27.0.1 on Centos/RHEL/OEL7 (ssl issue?)

kerryb · July 15, 2024, 8:25am

I recently tried upgrading from OTP 27.0 to 27.0.1 (with Elixir 1.17.2). Unfortunately our production environment is still OEL7, which I realise is now EOL (although we still have enterprise support until the end of the year, by which time we should have migrated).

When I try to build a release of my application using docker from either a CentOS7 or OEL7 image, the mix installation fails with what looks like an ssl issue:

 > [25/37] RUN mix local.hex --force:
#0 18.28 ** (Mix) httpc request failed with: {:failed_connect, [{:to_address, {~c"builds.hex.pm", 443}}, {:tls, [server_name_indication: ~c"builds.hex.pm", cacerts: [{:cert, <<48, 130, 5, 86, 48, 130, 3, 62, 160, 3, 2, 1, 2, 2, 20, 67, 227, 113, 19, 216, 179, 89, 20, 93, 183, 206, 140, 253, 53, 253, 111, 188, 5, 141, 69, 48, 13, 6, 9, ...>>, {:OTPCertificate, {:OTPTBSCertificate, :v3, 387574501246983434957692974888460947164905180485, {:SignatureAlgorithm, {1, 2, 840, 113549, 1, 1, 11}, :NULL}, {:rdnSequence, [[{:AttributeTypeAndValue, {2, 5, 4, 6}, ~c"CN"}], [{:AttributeTypeAndValue, {2, 5, 4, 10}, {:printableString, ~c"iTrusChina Co.,Ltd."}}], [{:AttributeTypeAndValue, {2, 5, 4, 3}, {:printableString, ~c"vTrus Root CA"}}]]}, {:Validity, {:utcTime, ~c"180731072405Z"}, {:utcTime, ~c"430731072405Z"}}, {:rdnSequence, [[{:AttributeTypeAndValue, {2, 5, 4, 6}, ~c"CN"}], [{:AttributeTypeAndValue, {2, 5, 4, 10}, {:printableString, ~c"iTrusChina Co.,Ltd."}}], [{:AttributeTypeAndValue, {2, 5, 4, 3}, {:printableString, ~c"vTrus Root CA"}}]]}, {:OTPSubjectPublicKeyInfo, {:PublicKeyAlgorithm, {1, 2, 840, 113549, 1, 1, 1}, :NULL},  --- [Lots of key info removed for space] --- , :asn1_NOVALUE, :asn1_NOVALUE, [{:Extension, ...}, {...}, ...]}, {:SignatureAlgorithm, {1, 2, 840, 113549, 1, 1, 5}, :NULL}, <<190, 228, 92, 98, 78, 36, 244, 12, 8, 255, 240, ...>>}}, {:cert, <<48, 130, 3, 123, 48, 130, 2, 99, 160, 3, 2, 1, 2, 2, 1, ...>>, {:OTPCertificate, {:OTPTBSCertificate, :v3, 1, {:SignatureAlgorithm, {1, 2, 840, 113549, 1, 1, ...}, :NULL}, {:rdnSequence, [[{:AttributeTypeAndValue, {2, ...}, ~c"TW"}], [{:AttributeTypeAndValue, {...}, ...}], [{:AttributeTypeAndValue, ...}], [{...}]]}, {:Validity, {:utcTime, ~c"080828072433Z"}, {:utcTime, ~c"301231155959Z"}}, {:rdnSequence, [[{:AttributeTypeAndValue, ...}], [{...}], [...], ...]}, {:OTPSubjectPublicKeyInfo, {:PublicKeyAlgorithm, {...}, ...}, {:RSAPublicKey, ...}}, :asn1_NOVALUE, :asn1_NOVALUE, [{...}, ...]}, {:SignatureAlgorithm, {1, 2, 840, 113549, 1, 1, 5}, :NULL}, <<60, 213, 119, 61, 218, 223, 137, 186, 135, 12, ...>>}}, {:cert, <<48, 130, 5, 65, 48, 130, 3, 41, 160, 3, 2, 1, 2, 2, ...>>, {:OTPCertificate, {:OTPTBSCertificate, :v3, 3262, {:SignatureAlgorithm, {1, 2, 840, 113549, 1, ...}, :NULL}, {:rdnSequence, [[{:AttributeTypeAndValue, {...}, ...}], [{:AttributeTypeAndValue, ...}], [{...}], [...]]}, {:Validity, {:utcTime, ~c"120627062833Z"}, {:utcTime, ~c"301231155959Z"}}, {:rdnSequence, [[{...}], [...], ...]}, {:OTPSubjectPublicKeyInfo, {:PublicKeyAlgorithm, ...}, {...}}, :asn1_NOVALUE, :asn1_NOVALUE, [...]}, {:SignatureAlgorithm, {1, 2, 840, 113549, 1, 1, 11}, :NULL}, <<95, 52, 129, 118, 239, 150, 29, 213, 229, ...>>}}, {:cert, <<48, 130, 4, 99, 48, 130, 3, 75, 160, 3, 2, 1, 2, ...>>, {:OTPCertificate, {:OTPTBSCertificate, :v3, 1, {:SignatureAlgorithm, {1, 2, 840, 113549, ...}, :NULL}, {:rdnSequence, [[{:AttributeTypeAndValue, ...}], [{...}], [...], ...]}, {:Validity, {:utcTime, ~c"131125082555Z"}, {:utcTime, ...}}, {:rdnSequence, [[...], ...]}, {:OTPSubjectPublicKeyInfo, {...}, ...}, :asn1_NOVALUE, :asn1_NOVALUE, ...}, {:SignatureAlgorithm, {1, 2, 840, 113549, 1, 1, 11}, :NULL}, <<42, 63, 225, 241, 50, 142, 174, 225, ...>>}}, {:cert, <<48, 130, 3, 195, 48, 130, 2, 171, 160, 3, 2, 1, ...>>, {:OTPCertificate, {:OTPTBSCertificate, :v3, 1, {:SignatureAlgorithm, {1, 2, 840, ...}, :NULL}, {:rdnSequence, [[{...}], [...], ...]}, {:Validity, {:utcTime, ...}, {...}}, {:rdnSequence, [...]}, {:OTPSubjectPublicKeyInfo, ...}, :asn1_NOVALUE, ...}, {:SignatureAlgorithm, {1, 2, 840, 113549, 1, 1, ...}, :NULL}, <<86, 61, 239, 148, 213, 189, 218, ...>>}}, {:cert, <<48, 130, 3, 195, 48, 130, 2, 171, 160, 3, 2, ...>>, {:OTPCertificate, {:OTPTBSCertificate, :v3, 1, {:SignatureAlgorithm, {1, 2, ...}, :NULL}, {:rdnSequence, [[...], ...]}, {:Validity, {...}, ...}, {:rdnSequence, ...}, {...}, ...}, {:SignatureAlgorithm, {1, 2, 840, 113549, 1, ...}, :NULL}, <<49, 3, 162, 97, 11, 31, ...>>}}, {:cert, <<48, 130, 5, 189, 48, 130, 3, 165, 160, 3, ...>>, {:OTPCertificate, {:OTPTBSCertificate, :v3, 5700383053117599563, {:SignatureAlgorithm, {1, ...}, :NULL}, {:rdnSequence, [...]}, {:Validity, ...}, {...}, ...}, {:SignatureAlgorithm, {1, 2, 840, 113549, ...}, :NULL}, <<115, 198, 129, 224, 39, ...>>}}, {:cert, <<48, 130, 5, 186, 48, 130, 3, 162, 160, ...>>, {:OTPCertificate, {:OTPTBSCertificate, :v3, 13492815561806991280, {:SignatureAlgorithm, {...}, ...}, {:rdnSequence, ...}, {...}, ...}, {:SignatureAlgorithm, {1, 2, 840, ...}, :NULL}, <<39, 186, 227, 148, ...>>}}, {:cert, <<48, 130, 3, 239, 48, 130, 2, 215, ...>>, {:OTPCertificate, {:OTPTBSCertificate, :v3, 0, {:SignatureAlgorithm, ...}, {...}, ...}, {:SignatureAlgorithm, {1, 2, ...}, :NULL}, <<75, 54, 166, ...>>}}, {:cert, <<48, 130, 3, 221, 48, 130, 2, ...>>, {:OTPCertificate, {:OTPTBSCertificate, :v3, 0, {...}, ...}, {:SignatureAlgorithm, {1, ...}, :NULL}, <<17, 89, ...>>}}, {:cert, <<48, 130, 4, 15, 48, 130, ...>>, {:OTPCertificate, {:OTPTBSCertificate, :v3, 0, ...}, {:SignatureAlgorithm, {...}, ...}, <<5, ...>>}}, {:cert, <<48, 130, 3, 90, 48, ...>>, {:OTPCertificate, {:OTPTBSCertificate, :v3, ...}, {:SignatureAlgorithm, ...}, <<...>>}}, {:cert, <<48, 130, 5, 127, ...>>, {:OTPCertificate, {:OTPTBSCertificate, ...}, {...}, ...}}, {:cert, <<48, 130, 3, ...>>, {:OTPCertificate, {...}, ...}}, {:cert, <<48, 130, ...>>, {:OTPCertificate, ...}}, {:cert, <<48, ...>>, {...}}, {:cert, <<...>>, ...}, {:cert, ...}, {...}, ...], verify: :verify_peer, customize_hostname_check: [match_fun: #Function<6.75820660/2 in :public_key.pkix_verify_hostname_match_fun/1>]], {:tls_alert, {:unexpected_message, ~c"TLS client: In state hello_retry_middlebox_assert at ssl_gen_statem.erl:768 generated CLIENT ALERT: Fatal - Unexpected Message\n {unexpected_msg,\n     {internal,\n         {server_hello,\n             {3,3},\n             <<128,78,7,175,140,144,165,212,179,7,105,137,...>>,\n             <<11,131,58,129,245,122,149,191,175,234,207,...>>,\n             <<19,1>>,\n             \#{server_hello_selected_version =>\n                   {server_hello_selected_version,{3,4}},\n               pre_shared_key => undefined,\n               key_share =>\n                   {key_share_server_hello,\n                       {key_share_entry,secp384r1,<<4,208,217,...>>}}}}}}"}}}]}
#0 18.28
#0 18.28 Could not install Hex because Mix could not download metadata at https://builds.hex.pm/installs/hex-1.x.csv.
#0 18.28
#0 18.28 Alternatively, you can compile and install Hex directly with this command:
#0 18.28
#0 18.28     $ mix archive.install github hexpm/hex branch latest

The error buried at the end of that very long line relates to :public_key.pkix_verify_hostname_match_fun/1, and includes:

TLS client: In state hello_retry_middlebox_assert at ssl_gen_statem.erl:768 generated CLIENT ALERT: Fatal - Unexpected Message
 {unexpected_msg,
     {internal,
         {server_hello,
             {3,3},
             <<128,78,7,175,140,144,165,212,179,7,105,137,...>>,
             <<11,131,58,129,245,122,149,191,175,234,207,...>>,
             <<19,1>>,
             #{server_hello_selected_version =>
                   {server_hello_selected_version,{3,4}},
               pre_shared_key => undefined,
               key_share =>
                   {key_share_server_hello,
                       {key_share_entry,secp384r1,<<4,208,217,...>>}}}}}}

I’m not sure this is really an Erlang issue (or a mix issue), because presumably this OS is no longer supported, but is anyone aware of a workaround? for now I’ve just reverted to OTP 17.0, which works fine.

dimitarvp · July 15, 2024, 9:18am

My first guess would be to manually install the latest root certificates (if the now obsolete OS does not have them up-to-date in its package manager database). On Debian-like systems the package is called ca-certificates.

kerryb · July 15, 2024, 10:05am

Thank you for the suggestion, but unfortunately after running yum install ca-certificates it still gives the same error. I guess maybe I need to manually get the certs from a newer source, as the repo version is probably out-of-date?

dimitarvp · July 15, 2024, 10:17am

Likely, yes. See this SO thread for examples: openssl - How to extract the Root CA and Subordinate CA from a certificate chain in Linux? - Unix & Linux Stack Exchange

(Though I think there are threads on this forum that recommend workflows for a few Linux flavors as well.)