Kolz

Kolz

Unable to run mix local.hex and mix local.rebar

Hi,

I’m running into an issue where I get the following two errors which means i can’t proceed with building anything:

mix local.hex --force
** (Mix) httpc request failed with: {:failed_connect, [{:to_address, {~c"builds.hex.pm", 443}}, {:inet, [:inet], {:tls_alert, {:unknown_ca, ~c"TLS client: In state wait_cert_cr at ssl_handshake.erl:2134 generated CLIENT ALERT: Fatal - Unknown CA\n"}}}]}

Could not install Hex because Mix could not download metadata at https://builds.hex.pm/installs/hex-1.x.csv.

Alternatively, you can compile and install Hex directly with this command:

    $ mix archive.install github hexpm/hex branch latest
mix local.rebar --force
** (Mix) httpc request failed with: {:failed_connect, [{:to_address, {~c"builds.hex.pm", 443}}, {:inet, [:inet], {:tls_alert, {:unknown_ca, ~c"TLS client: In state wait_cert_cr at ssl_handshake.erl:2134 generated CLIENT ALERT: Fatal - Unknown CA\n"}}}]}

Could not install Rebar because Mix could not download metadata at https://builds.hex.pm/installs/rebar3-1.x.csv.

I have tried my best to find help with how to resolve this and tried a bunch of things I found that seemed to help other users, but to no avail.

I’m running on an M1 mac (Sonoma 14.2.1) my Elixir/Erlang installs are through asdf:
elixir
*v1.16
erlang
*26.2.2

Would greatly appreciate help with this.

I have checked the certificate chain and I can’t find an issue there, to me it looks like I trust the required certificates. Also, running curl on the two urls that it complains about works fine.

Marked As Solved

blovett

blovett

Hello, I’ve been running into similar errors on macOS and made some slight progress that might be worth trying.

I don’t have an answer yet for why the OS cert chain displeases Erlang. I tried the suggestion about adding ISRG_Root_X2 via Keychain (already had X1) but no luck. Still working on that.

In the meantime, if you’re willing to entertain a workaround you could try using an alternate cert file. I used one that came with a version of curl installed by macports.

I installed hex through GitHub using the command shown in the initial error message. Just today I learned that the HEX_CACERTS_PATH environment variable which lets you specify an different chain than the system default is not equivalent to setting the equivalent config value in hex via hex config. The rebar installation worked for me once I switched to the environment variable. And then other packages downloaded fine.

So in summary:

  • Default cert chain on macOS is a mystery
  • Need hex? Install through GitHub
  • Need rebar? Set HEX_CACERTS_PATH=/opt/local/etc/openssl/cert.pem
  • Don’t have that exact file? Download from here. It’s the link to cacert.pem

This is how I built Erlang with asdf:

KERL_CONFIGURE_OPTIONS="--without-javac --without-wx --without-odbc" asdf install erlang latest
asdf install elixir latest
mix archive.install github hexpm/hex branch latest
HEX_CACERTS_PATH=/opt/local/etc/openssl/cert.pem mix deps.get --only prod

Also Liked

fmn

fmn

hello,

TL;DR:

depending on OS you are using, you can try procedure of adding CA certs to your global trust store.

certs can be found here: Chains of Trust - Let's Encrypt.

please, be careful when doing such changes with a link from a random person from the internet, crosscheck it with someone else :wink:

longer story…

i think you are missing Let’s Encrypt root CA certs in your OS, or they are not being globally used by TLS clients (for example, because of custom/broken openssl.cnf file).

this indicates TLS client is not able to build full chain of trust.
and indeed mix hex.config unsafe_https true doesn’t seem to be disabling CA chain of trust validation, it probably only targets service certificate validation itself (most likely against its expiration date or CN field of its subject, etc.).

i reproduced this issue:

** (Mix) httpc request failed with: {:failed_connect, [{:to_address, {~c"builds.hex.pm", 443}}, {:inet, [:inet], {:tls_alert, {:unknown_ca, ~c"TLS client: In state wait_cert_cr at ssl_handshake.erl:2174 generated CLIENT ALERT: Fatal - Unknown CA\n"}}}]}

Could not install Hex because Mix could not download metadata at https://builds.hex.pm/installs/hex-1.x.csv.

Alternatively, you can compile and install Hex directly with this command:

    $ mix archive.install github hexpm/hex branch latest

… by removing from my OSes trust store two certs:

  • ISRG_Root_X1
  • ISRG_Root_X2

re-adding them, fixes issue.

you can get more info about expected chain of trust using openssl s_client -connect builds.hex.pm:443 or other TLS clients with decent debug options.

one thing which is not adding up is the fact curl works fine for you… that would hint your Erlang/OTP/Elixir is not using same trust store as curl does.

Kolz

Kolz

Finally made this work.

I reinstalled my entire OS to get rid of any bad old config that would collide.

After I had reinstalled my OS, I was still getting the same errors (but now with different elixir/opt versions)

So I tried the following suggested by @blovett again

HEX_CACERTS_PATH=/opt/local/etc/openssl/cert.pem mix deps.get --only prod

And now everything is working as it should, I wonder why it doesn’t seem to care about the keychain certificate store etc though, cause the certs are definitely in there

Thanks so much for the help everyone

dimitarvp

dimitarvp

As a workaround, you can run this:

mix hex.config unsafe_https true

And try again.

Where Next?

Popular in Questions Top

Emily
I have VueJS GUIs with the project generated using Webpack. I have Elixir modules that will need to be used by the VueJS GUIs. I forese...
New
chrisalley
ExUnit now has describe blocks which is a welcome addition coming from RSpec. In the docs, it states that nested hierarchies of describe ...
New
LegitStack
I’m trying to make a websocket server in Phoenix or raw Elixir. I heard about gun, I think I could use cowboy, but since I’m not that sma...
New
Qqwy
Original source of discussion: This topic on the Pragmatic Programmers’ Functional Web Development with Elixir, OTP, and Phoenix forum. ...
New
alice
Hey, Just curious what are the main benefits of Elixir compared to Clojure? When is Elixir more useful than Clojure and vice versa? Th...
New
aalberti333
As the title describes, I’m trying to run Enum.map() over a list of key/value pairs, where the value is a map. My data looks like this: ...
New
sergio_101
I am VERY much an elixir newbie. I have taken one elixir course and one phoenix course on Udemy. During that course, I saw the instructor...
New
fayddelight
I tried installing elixir 1.11.2 erlang 23.3.4 via asdf in my zsh shell. Enabled the versions locally and globally. When I list them ...
New
dblack
I’ve got an issue with an app and I’ve no idea of how to troubleshoot it. I’m hoping someone here might have seen something similar. I p...
New
dotdotdotPaul
Okay, I’m having a heck of a time trying to figure out how to best handle the validation of belongs_to associations in Ecto. I’m sure I’...
New

Other popular topics Top

Harrisonl
We have an ECS cluster with 4 services, where each task joins a single cluster, via discovery ECS discovery service. Currently when I de...
New
freewebwithme
Using vs code and installed ElixirLS: support and debugger. And I got an error popped up on start up says Failed to run ‘elixir’ comma...
New
joeerl
Hello again - after a longish gap I’ve decided I really must dig into Elixir and see what’s been happening here - so I have a few questio...
New
Qqwy
Original source of discussion: This topic on the Pragmatic Programmers’ Functional Web Development with Elixir, OTP, and Phoenix forum. ...
New
RisingFromAshes
I’ve read in another post that it may be possible with a router helper - but I couldn’t find an appropriate one, and tbh, I’m still just ...
New
saif
Hello everyone, Long time lurker first time poster here. I’ve recently begun working on Elixir full-time again! :raised_hands: It’s been...
New
PeterCarter
There are pre-rolled solutions for other frameworks that do work. However, Phoenix does not seem to have these. Have people had good expe...
New
dokuzbir
I want to highlight html closing tags when i click a html tag. That works in .html files but doesnt work for html.eex templates. How can...
New
svb
Hi! Currently I want to submit a form by pressing the Enter key. However, since my input field is of type “textarea” this is just adds a...
New
JorisKok
I have a server on AWS, and was running a load test using artillery. When looking at the Phoenix dashboard I see the Ports going to 100% ...
New

We're in Beta

About us Mission Statement