kerryb
Unable to install mix in OTP 27.0.1 on Centos/RHEL/OEL7 (ssl issue?)
I recently tried upgrading from OTP 27.0 to 27.0.1 (with Elixir 1.17.2). Unfortunately our production environment is still OEL7, which I realise is now EOL (although we still have enterprise support until the end of the year, by which time we should have migrated).
When I try to build a release of my application using docker from either a CentOS7 or OEL7 image, the mix installation fails with what looks like an ssl issue:
> [25/37] RUN mix local.hex --force:
#0 18.28 ** (Mix) httpc request failed with: {:failed_connect, [{:to_address, {~c"builds.hex.pm", 443}}, {:tls, [server_name_indication: ~c"builds.hex.pm", cacerts: [{:cert, <<48, 130, 5, 86, 48, 130, 3, 62, 160, 3, 2, 1, 2, 2, 20, 67, 227, 113, 19, 216, 179, 89, 20, 93, 183, 206, 140, 253, 53, 253, 111, 188, 5, 141, 69, 48, 13, 6, 9, ...>>, {:OTPCertificate, {:OTPTBSCertificate, :v3, 387574501246983434957692974888460947164905180485, {:SignatureAlgorithm, {1, 2, 840, 113549, 1, 1, 11}, :NULL}, {:rdnSequence, [[{:AttributeTypeAndValue, {2, 5, 4, 6}, ~c"CN"}], [{:AttributeTypeAndValue, {2, 5, 4, 10}, {:printableString, ~c"iTrusChina Co.,Ltd."}}], [{:AttributeTypeAndValue, {2, 5, 4, 3}, {:printableString, ~c"vTrus Root CA"}}]]}, {:Validity, {:utcTime, ~c"180731072405Z"}, {:utcTime, ~c"430731072405Z"}}, {:rdnSequence, [[{:AttributeTypeAndValue, {2, 5, 4, 6}, ~c"CN"}], [{:AttributeTypeAndValue, {2, 5, 4, 10}, {:printableString, ~c"iTrusChina Co.,Ltd."}}], [{:AttributeTypeAndValue, {2, 5, 4, 3}, {:printableString, ~c"vTrus Root CA"}}]]}, {:OTPSubjectPublicKeyInfo, {:PublicKeyAlgorithm, {1, 2, 840, 113549, 1, 1, 1}, :NULL}, --- [Lots of key info removed for space] --- , :asn1_NOVALUE, :asn1_NOVALUE, [{:Extension, ...}, {...}, ...]}, {:SignatureAlgorithm, {1, 2, 840, 113549, 1, 1, 5}, :NULL}, <<190, 228, 92, 98, 78, 36, 244, 12, 8, 255, 240, ...>>}}, {:cert, <<48, 130, 3, 123, 48, 130, 2, 99, 160, 3, 2, 1, 2, 2, 1, ...>>, {:OTPCertificate, {:OTPTBSCertificate, :v3, 1, {:SignatureAlgorithm, {1, 2, 840, 113549, 1, 1, ...}, :NULL}, {:rdnSequence, [[{:AttributeTypeAndValue, {2, ...}, ~c"TW"}], [{:AttributeTypeAndValue, {...}, ...}], [{:AttributeTypeAndValue, ...}], [{...}]]}, {:Validity, {:utcTime, ~c"080828072433Z"}, {:utcTime, ~c"301231155959Z"}}, {:rdnSequence, [[{:AttributeTypeAndValue, ...}], [{...}], [...], ...]}, {:OTPSubjectPublicKeyInfo, {:PublicKeyAlgorithm, {...}, ...}, {:RSAPublicKey, ...}}, :asn1_NOVALUE, :asn1_NOVALUE, [{...}, ...]}, {:SignatureAlgorithm, {1, 2, 840, 113549, 1, 1, 5}, :NULL}, <<60, 213, 119, 61, 218, 223, 137, 186, 135, 12, ...>>}}, {:cert, <<48, 130, 5, 65, 48, 130, 3, 41, 160, 3, 2, 1, 2, 2, ...>>, {:OTPCertificate, {:OTPTBSCertificate, :v3, 3262, {:SignatureAlgorithm, {1, 2, 840, 113549, 1, ...}, :NULL}, {:rdnSequence, [[{:AttributeTypeAndValue, {...}, ...}], [{:AttributeTypeAndValue, ...}], [{...}], [...]]}, {:Validity, {:utcTime, ~c"120627062833Z"}, {:utcTime, ~c"301231155959Z"}}, {:rdnSequence, [[{...}], [...], ...]}, {:OTPSubjectPublicKeyInfo, {:PublicKeyAlgorithm, ...}, {...}}, :asn1_NOVALUE, :asn1_NOVALUE, [...]}, {:SignatureAlgorithm, {1, 2, 840, 113549, 1, 1, 11}, :NULL}, <<95, 52, 129, 118, 239, 150, 29, 213, 229, ...>>}}, {:cert, <<48, 130, 4, 99, 48, 130, 3, 75, 160, 3, 2, 1, 2, ...>>, {:OTPCertificate, {:OTPTBSCertificate, :v3, 1, {:SignatureAlgorithm, {1, 2, 840, 113549, ...}, :NULL}, {:rdnSequence, [[{:AttributeTypeAndValue, ...}], [{...}], [...], ...]}, {:Validity, {:utcTime, ~c"131125082555Z"}, {:utcTime, ...}}, {:rdnSequence, [[...], ...]}, {:OTPSubjectPublicKeyInfo, {...}, ...}, :asn1_NOVALUE, :asn1_NOVALUE, ...}, {:SignatureAlgorithm, {1, 2, 840, 113549, 1, 1, 11}, :NULL}, <<42, 63, 225, 241, 50, 142, 174, 225, ...>>}}, {:cert, <<48, 130, 3, 195, 48, 130, 2, 171, 160, 3, 2, 1, ...>>, {:OTPCertificate, {:OTPTBSCertificate, :v3, 1, {:SignatureAlgorithm, {1, 2, 840, ...}, :NULL}, {:rdnSequence, [[{...}], [...], ...]}, {:Validity, {:utcTime, ...}, {...}}, {:rdnSequence, [...]}, {:OTPSubjectPublicKeyInfo, ...}, :asn1_NOVALUE, ...}, {:SignatureAlgorithm, {1, 2, 840, 113549, 1, 1, ...}, :NULL}, <<86, 61, 239, 148, 213, 189, 218, ...>>}}, {:cert, <<48, 130, 3, 195, 48, 130, 2, 171, 160, 3, 2, ...>>, {:OTPCertificate, {:OTPTBSCertificate, :v3, 1, {:SignatureAlgorithm, {1, 2, ...}, :NULL}, {:rdnSequence, [[...], ...]}, {:Validity, {...}, ...}, {:rdnSequence, ...}, {...}, ...}, {:SignatureAlgorithm, {1, 2, 840, 113549, 1, ...}, :NULL}, <<49, 3, 162, 97, 11, 31, ...>>}}, {:cert, <<48, 130, 5, 189, 48, 130, 3, 165, 160, 3, ...>>, {:OTPCertificate, {:OTPTBSCertificate, :v3, 5700383053117599563, {:SignatureAlgorithm, {1, ...}, :NULL}, {:rdnSequence, [...]}, {:Validity, ...}, {...}, ...}, {:SignatureAlgorithm, {1, 2, 840, 113549, ...}, :NULL}, <<115, 198, 129, 224, 39, ...>>}}, {:cert, <<48, 130, 5, 186, 48, 130, 3, 162, 160, ...>>, {:OTPCertificate, {:OTPTBSCertificate, :v3, 13492815561806991280, {:SignatureAlgorithm, {...}, ...}, {:rdnSequence, ...}, {...}, ...}, {:SignatureAlgorithm, {1, 2, 840, ...}, :NULL}, <<39, 186, 227, 148, ...>>}}, {:cert, <<48, 130, 3, 239, 48, 130, 2, 215, ...>>, {:OTPCertificate, {:OTPTBSCertificate, :v3, 0, {:SignatureAlgorithm, ...}, {...}, ...}, {:SignatureAlgorithm, {1, 2, ...}, :NULL}, <<75, 54, 166, ...>>}}, {:cert, <<48, 130, 3, 221, 48, 130, 2, ...>>, {:OTPCertificate, {:OTPTBSCertificate, :v3, 0, {...}, ...}, {:SignatureAlgorithm, {1, ...}, :NULL}, <<17, 89, ...>>}}, {:cert, <<48, 130, 4, 15, 48, 130, ...>>, {:OTPCertificate, {:OTPTBSCertificate, :v3, 0, ...}, {:SignatureAlgorithm, {...}, ...}, <<5, ...>>}}, {:cert, <<48, 130, 3, 90, 48, ...>>, {:OTPCertificate, {:OTPTBSCertificate, :v3, ...}, {:SignatureAlgorithm, ...}, <<...>>}}, {:cert, <<48, 130, 5, 127, ...>>, {:OTPCertificate, {:OTPTBSCertificate, ...}, {...}, ...}}, {:cert, <<48, 130, 3, ...>>, {:OTPCertificate, {...}, ...}}, {:cert, <<48, 130, ...>>, {:OTPCertificate, ...}}, {:cert, <<48, ...>>, {...}}, {:cert, <<...>>, ...}, {:cert, ...}, {...}, ...], verify: :verify_peer, customize_hostname_check: [match_fun: #Function<6.75820660/2 in :public_key.pkix_verify_hostname_match_fun/1>]], {:tls_alert, {:unexpected_message, ~c"TLS client: In state hello_retry_middlebox_assert at ssl_gen_statem.erl:768 generated CLIENT ALERT: Fatal - Unexpected Message\n {unexpected_msg,\n {internal,\n {server_hello,\n {3,3},\n <<128,78,7,175,140,144,165,212,179,7,105,137,...>>,\n <<11,131,58,129,245,122,149,191,175,234,207,...>>,\n <<19,1>>,\n \#{server_hello_selected_version =>\n {server_hello_selected_version,{3,4}},\n pre_shared_key => undefined,\n key_share =>\n {key_share_server_hello,\n {key_share_entry,secp384r1,<<4,208,217,...>>}}}}}}"}}}]}
#0 18.28
#0 18.28 Could not install Hex because Mix could not download metadata at https://builds.hex.pm/installs/hex-1.x.csv.
#0 18.28
#0 18.28 Alternatively, you can compile and install Hex directly with this command:
#0 18.28
#0 18.28 $ mix archive.install github hexpm/hex branch latest
The error buried at the end of that very long line relates to :public_key.pkix_verify_hostname_match_fun/1, and includes:
TLS client: In state hello_retry_middlebox_assert at ssl_gen_statem.erl:768 generated CLIENT ALERT: Fatal - Unexpected Message
{unexpected_msg,
{internal,
{server_hello,
{3,3},
<<128,78,7,175,140,144,165,212,179,7,105,137,...>>,
<<11,131,58,129,245,122,149,191,175,234,207,...>>,
<<19,1>>,
#{server_hello_selected_version =>
{server_hello_selected_version,{3,4}},
pre_shared_key => undefined,
key_share =>
{key_share_server_hello,
{key_share_entry,secp384r1,<<4,208,217,...>>}}}}}}
I’m not sure this is really an Erlang issue (or a mix issue), because presumably this OS is no longer supported, but is anyone aware of a workaround? for now I’ve just reverted to OTP 17.0, which works fine.
First Post!
dimitarvp
My first guess would be to manually install the latest root certificates (if the now obsolete OS does not have them up-to-date in its package manager database). On Debian-like systems the package is called ca-certificates.
Popular in Questions
Other popular topics
Categories:
Sub Categories:
Forums
Popular Tags
- #ecto
- #liveview
- #troubleshooting
- #learning-elixir
- #deployment
- #library
- #erlang
- #testing
- #genserver
- #mix
- #absinthe
- #remote-other
- #otp
- #plug
- #how-to-question
- #macros
- #postgres
- #channels
- #elixirconf
- #exunit
- #discussion
- #code-sync
- #javascript
- #podcasts
- #onsite
- #dialyzer
- #docker
- #authentication
- #umbrella
- #full-time-contract
- #podcasts-by-brainlid
- #ecto-query
- #elixir-ls
- #phoenix_html
- #iex
- #blog-post
- #graphql
- #genstage
- #ai
- #websockets
- #supervisor
- #advent-of-code
- #elixirconf-us
- #distillery
- #processes
- #forms
- #api
- #metaprogramming
- #security
- #performance










