Unable to run mix local.hex and mix local.rebar

Kolz · June 9, 2024, 12:08pm

Hi,

I’m running into an issue where I get the following two errors which means i can’t proceed with building anything:

mix local.hex --force
** (Mix) httpc request failed with: {:failed_connect, [{:to_address, {~c"builds.hex.pm", 443}}, {:inet, [:inet], {:tls_alert, {:unknown_ca, ~c"TLS client: In state wait_cert_cr at ssl_handshake.erl:2134 generated CLIENT ALERT: Fatal - Unknown CA\n"}}}]}

Could not install Hex because Mix could not download metadata at https://builds.hex.pm/installs/hex-1.x.csv.

Alternatively, you can compile and install Hex directly with this command:

    $ mix archive.install github hexpm/hex branch latest

mix local.rebar --force
** (Mix) httpc request failed with: {:failed_connect, [{:to_address, {~c"builds.hex.pm", 443}}, {:inet, [:inet], {:tls_alert, {:unknown_ca, ~c"TLS client: In state wait_cert_cr at ssl_handshake.erl:2134 generated CLIENT ALERT: Fatal - Unknown CA\n"}}}]}

Could not install Rebar because Mix could not download metadata at https://builds.hex.pm/installs/rebar3-1.x.csv.

I have tried my best to find help with how to resolve this and tried a bunch of things I found that seemed to help other users, but to no avail.

I’m running on an M1 mac (Sonoma 14.2.1) my Elixir/Erlang installs are through asdf:
elixir
*v1.16
erlang
*26.2.2

Would greatly appreciate help with this.

I have checked the certificate chain and I can’t find an issue there, to me it looks like I trust the required certificates. Also, running curl on the two urls that it complains about works fine.

NobbZ · June 9, 2024, 12:10pm

The error suggests that there is some TLS handshaking issues, are you perhaps in a corporate network that intercepts and re-encrypts HTTPS connections?

Kolz · June 9, 2024, 12:19pm

Hi NobbZ, no, I’m on my personal laptop at home, there shouldn’t be any proxies involved here. (Also not using a VPN)

dimitarvp · June 11, 2024, 7:16pm

As a workaround, you can run this:

mix hex.config unsafe_https true

And try again.

Kolz · June 12, 2024, 2:27pm

Hi @dimitarvp

Thanks for the suggestion, did not help either. I also tried HEX_UNSAFE_HTTPS=1 which did not work either

dimitarvp · June 12, 2024, 2:38pm

Have you tried with curl -v https://builds.hex.pm on the command line?

Kolz · June 12, 2024, 5:37pm

I have, it works fine when I try that.

To be more specific, it gives me a 200 response with a text reply “Everything’s Okay”

thanos · June 14, 2024, 2:41pm

Did you solve your problems ?

Kolz · June 14, 2024, 2:58pm

Sadly, no. Still have this issue, I only do Elixir in my free time (also sadly), so I haven’t had time to do more digging yet.

fmn · June 14, 2024, 4:43pm

hello,

TL;DR:

depending on OS you are using, you can try procedure of adding CA certs to your global trust store.

certs can be found here: Chains of Trust - Let's Encrypt.

please, be careful when doing such changes with a link from a random person from the internet, crosscheck it with someone else

longer story…

i think you are missing Let’s Encrypt root CA certs in your OS, or they are not being globally used by TLS clients (for example, because of custom/broken openssl.cnf file).

this indicates TLS client is not able to build full chain of trust.
and indeed mix hex.config unsafe_https true doesn’t seem to be disabling CA chain of trust validation, it probably only targets service certificate validation itself (most likely against its expiration date or CN field of its subject, etc.).

i reproduced this issue:

** (Mix) httpc request failed with: {:failed_connect, [{:to_address, {~c"builds.hex.pm", 443}}, {:inet, [:inet], {:tls_alert, {:unknown_ca, ~c"TLS client: In state wait_cert_cr at ssl_handshake.erl:2174 generated CLIENT ALERT: Fatal - Unknown CA\n"}}}]}

Could not install Hex because Mix could not download metadata at https://builds.hex.pm/installs/hex-1.x.csv.

Alternatively, you can compile and install Hex directly with this command:

    $ mix archive.install github hexpm/hex branch latest

… by removing from my OSes trust store two certs:

ISRG_Root_X1
ISRG_Root_X2

re-adding them, fixes issue.

you can get more info about expected chain of trust using openssl s_client -connect builds.hex.pm:443 or other TLS clients with decent debug options.

one thing which is not adding up is the fact curl works fine for you… that would hint your Erlang/OTP/Elixir is not using same trust store as curl does.

blovett · June 15, 2024, 2:09am

Hello, I’ve been running into similar errors on macOS and made some slight progress that might be worth trying.

I don’t have an answer yet for why the OS cert chain displeases Erlang. I tried the suggestion about adding ISRG_Root_X2 via Keychain (already had X1) but no luck. Still working on that.

In the meantime, if you’re willing to entertain a workaround you could try using an alternate cert file. I used one that came with a version of curl installed by macports.

I installed hex through GitHub using the command shown in the initial error message. Just today I learned that the HEX_CACERTS_PATH environment variable which lets you specify an different chain than the system default is not equivalent to setting the equivalent config value in hex via hex config. The rebar installation worked for me once I switched to the environment variable. And then other packages downloaded fine.

So in summary:

Default cert chain on macOS is a mystery
Need hex? Install through GitHub
Need rebar? Set HEX_CACERTS_PATH=/opt/local/etc/openssl/cert.pem
Don’t have that exact file? Download from here. It’s the link to cacert.pem

This is how I built Erlang with asdf:

KERL_CONFIGURE_OPTIONS="--without-javac --without-wx --without-odbc" asdf install erlang latest
asdf install elixir latest
mix archive.install github hexpm/hex branch latest
HEX_CACERTS_PATH=/opt/local/etc/openssl/cert.pem mix deps.get --only prod

Kolz · June 15, 2024, 9:40am

Thanks for the suggestion!

However, it did not help, still getting the same issue.

I have both certs in place, everything looks good when checking openssl s_client -connect builds.hex.pm:443 as well

mix archive.install github hexpm/hex branch latest works fine, but I don’t know what/how to write the equivalent for rebar

Kolz · June 15, 2024, 9:41am

Thanks, I tried manually specifying the HEX_CACERTS_PATH and that did not help unfortunately.

I will attempt a reinstall a bit later with your KERL_CONFIGURE_OPTIONS specified

Kolz · June 15, 2024, 8:00pm

Finally made this work.

I reinstalled my entire OS to get rid of any bad old config that would collide.

After I had reinstalled my OS, I was still getting the same errors (but now with different elixir/opt versions)

So I tried the following suggested by @blovett again

HEX_CACERTS_PATH=/opt/local/etc/openssl/cert.pem mix deps.get --only prod

And now everything is working as it should, I wonder why it doesn’t seem to care about the keychain certificate store etc though, cause the certs are definitely in there

Thanks so much for the help everyone