Kolz
Unable to run mix local.hex and mix local.rebar
Hi,
I’m running into an issue where I get the following two errors which means i can’t proceed with building anything:
mix local.hex --force
** (Mix) httpc request failed with: {:failed_connect, [{:to_address, {~c"builds.hex.pm", 443}}, {:inet, [:inet], {:tls_alert, {:unknown_ca, ~c"TLS client: In state wait_cert_cr at ssl_handshake.erl:2134 generated CLIENT ALERT: Fatal - Unknown CA\n"}}}]}
Could not install Hex because Mix could not download metadata at https://builds.hex.pm/installs/hex-1.x.csv.
Alternatively, you can compile and install Hex directly with this command:
$ mix archive.install github hexpm/hex branch latest
mix local.rebar --force
** (Mix) httpc request failed with: {:failed_connect, [{:to_address, {~c"builds.hex.pm", 443}}, {:inet, [:inet], {:tls_alert, {:unknown_ca, ~c"TLS client: In state wait_cert_cr at ssl_handshake.erl:2134 generated CLIENT ALERT: Fatal - Unknown CA\n"}}}]}
Could not install Rebar because Mix could not download metadata at https://builds.hex.pm/installs/rebar3-1.x.csv.
I have tried my best to find help with how to resolve this and tried a bunch of things I found that seemed to help other users, but to no avail.
I’m running on an M1 mac (Sonoma 14.2.1) my Elixir/Erlang installs are through asdf:
elixir
*v1.16
erlang
*26.2.2
Would greatly appreciate help with this.
I have checked the certificate chain and I can’t find an issue there, to me it looks like I trust the required certificates. Also, running curl on the two urls that it complains about works fine.
Marked As Solved
blovett
Hello, I’ve been running into similar errors on macOS and made some slight progress that might be worth trying.
I don’t have an answer yet for why the OS cert chain displeases Erlang. I tried the suggestion about adding ISRG_Root_X2 via Keychain (already had X1) but no luck. Still working on that.
In the meantime, if you’re willing to entertain a workaround you could try using an alternate cert file. I used one that came with a version of curl installed by macports.
I installed hex through GitHub using the command shown in the initial error message. Just today I learned that the HEX_CACERTS_PATH environment variable which lets you specify an different chain than the system default is not equivalent to setting the equivalent config value in hex via hex config. The rebar installation worked for me once I switched to the environment variable. And then other packages downloaded fine.
So in summary:
- Default cert chain on macOS is a mystery
- Need hex? Install through GitHub
- Need rebar? Set
HEX_CACERTS_PATH=/opt/local/etc/openssl/cert.pem - Don’t have that exact file? Download from here. It’s the link to cacert.pem
This is how I built Erlang with asdf:
KERL_CONFIGURE_OPTIONS="--without-javac --without-wx --without-odbc" asdf install erlang latest
asdf install elixir latest
mix archive.install github hexpm/hex branch latest
HEX_CACERTS_PATH=/opt/local/etc/openssl/cert.pem mix deps.get --only prod
Also Liked
fmn
hello,
TL;DR:
depending on OS you are using, you can try procedure of adding CA certs to your global trust store.
certs can be found here: Chains of Trust - Let's Encrypt.
please, be careful when doing such changes with a link from a random person from the internet, crosscheck it with someone else ![]()
longer story…
i think you are missing Let’s Encrypt root CA certs in your OS, or they are not being globally used by TLS clients (for example, because of custom/broken openssl.cnf file).
this indicates TLS client is not able to build full chain of trust.
and indeed mix hex.config unsafe_https true doesn’t seem to be disabling CA chain of trust validation, it probably only targets service certificate validation itself (most likely against its expiration date or CN field of its subject, etc.).
i reproduced this issue:
** (Mix) httpc request failed with: {:failed_connect, [{:to_address, {~c"builds.hex.pm", 443}}, {:inet, [:inet], {:tls_alert, {:unknown_ca, ~c"TLS client: In state wait_cert_cr at ssl_handshake.erl:2174 generated CLIENT ALERT: Fatal - Unknown CA\n"}}}]}
Could not install Hex because Mix could not download metadata at https://builds.hex.pm/installs/hex-1.x.csv.
Alternatively, you can compile and install Hex directly with this command:
$ mix archive.install github hexpm/hex branch latest
… by removing from my OSes trust store two certs:
- ISRG_Root_X1
- ISRG_Root_X2
re-adding them, fixes issue.
you can get more info about expected chain of trust using openssl s_client -connect builds.hex.pm:443 or other TLS clients with decent debug options.
one thing which is not adding up is the fact curl works fine for you… that would hint your Erlang/OTP/Elixir is not using same trust store as curl does.
Kolz
Finally made this work.
I reinstalled my entire OS to get rid of any bad old config that would collide.
After I had reinstalled my OS, I was still getting the same errors (but now with different elixir/opt versions)
So I tried the following suggested by @blovett again
HEX_CACERTS_PATH=/opt/local/etc/openssl/cert.pem mix deps.get --only prod
And now everything is working as it should, I wonder why it doesn’t seem to care about the keychain certificate store etc though, cause the certs are definitely in there
Thanks so much for the help everyone
dimitarvp
Popular in Questions
Other popular topics
Categories:
Sub Categories:
Forums
Popular Tags
- #ecto
- #liveview
- #troubleshooting
- #learning-elixir
- #deployment
- #library
- #erlang
- #testing
- #genserver
- #mix
- #absinthe
- #remote-other
- #otp
- #plug
- #how-to-question
- #macros
- #postgres
- #channels
- #elixirconf
- #exunit
- #discussion
- #code-sync
- #javascript
- #podcasts
- #onsite
- #dialyzer
- #docker
- #authentication
- #umbrella
- #full-time-contract
- #podcasts-by-brainlid
- #ecto-query
- #elixir-ls
- #phoenix_html
- #iex
- #blog-post
- #graphql
- #genstage
- #ai
- #websockets
- #supervisor
- #elixirconf-us
- #advent-of-code
- #distillery
- #processes
- #forms
- #api
- #metaprogramming
- #security
- #hex










