Unknown CA error for custom nerves hub instance

After setting up custom nerves hub instance, I am able to create devices and products, add certificates via web. However, whenever I try to create them via command line e.g.:

mix nerves_hub.product create

I am getting this error:
Unhandled error: {:error, {:tls_alert, {:unknown_ca, 'TLS client: In state wait_cert at ssl_handshake.erl:1838 generated CLIENT ALERT: Fatal - Unknown CA\n'}}}

This is a staging setup and the domains are as:

  1. www.staging.mydomain.com - we are able to access this via browser and it shows it has a valid certificate issued by AWS.
  2. api.staging.mydomain.com - it shows the certificate is signed by NervesHub (as I deployed NH custom instance after creating an initial key-chain via nerves_hub repo) and browser also show this error of privacy alert. I had to add an exception to access this web page.
  3. device.staging.mydomain.com - same as above in no 2.

I have tried this both from Mac and Linux after adding these certificates to trusted generated by nerves hub. In code, I am telling it to load all these certificates from:
ca_certs = Path.expand("../ssl/prod", __DIR__)

I don’t know if this error is coming due to self signed certs or anything else. Is there any way I can resolve this error and be able to run these commands from my terminal against custom nerves hub instance and later after creating and installing image on our device, it is also able to communicate with our custom nerves hub instance.

Currently we are trying to achieve this without NervesKey.

The API request still doesn’t have the ca certs it needs. So the real question here is what are you doing with the ca_certs variable you create it? Just assigning the variable doesn’t help us really know where it is.

I’d also check out the doc here https://docs.nerves-hub.org/v/main/nerves-hub/setup/connecting-other-envs

Specifically, you need the config :nerves_hub_user_api, ca_certs: ca_certs portion in order for your CLI requests to succeed

Thank you @jjcarstens I will share the details and code portion from our config.

#config option #1
ca_certs = Path.expand("../ssl/prod", __DIR__)

config :nerves_hub_link,
       device_api_host: "device.staging.customdomain",
       device_api_sni: 'device.staging.customdomain',
       device_api_port: 443,
       ca_certs: ca_certs

config :nerves_hub_user_api,
       host: "api.staging.customdomain",
       port: 443,
      socket: [
        json_library: Jason,
        heartbeat_interval: 45_000
      ],
      ssl: [
        server_name_indication: 'api.staging.customdomain',
        log_level: :debug,
      ],
      fwup_public_keys: [:devkey],
       ca_certs: ca_certs

With this option #1, I am getting the error shared in my original post.

#config option #2
ca_certs = Path.expand("../ssl/prod", __DIR__)

config :nerves_hub_link,
       device_api_host: "device.staging.customdomain",
       device_api_sni: 'device.staging.customdomain',
       device_api_port: 443,
       ca_certs: ca_certs

config :nerves_hub_user_api,
       host: "api.staging.customdomain",
       port: 443,
       server_name_indication: "api.staging.customdomain",
       fwup_public_keys: [:devkey],
       ca_certs: ca_certs

With this option #2, I am getting this error:

Unhandled error: {:error, {:options, {:server_name_indication, “api.staging.customdomain”}}}

This directory …/ssl/prod/ contains all the certs which were generated by the following command and later used in deployment by terraform on AWS:

mix nerves_hub_ca.init --path path/to/nerveshub-terraform/ssl/staging

As I am not sure which certs files to place in ssl/prod, I copied all of them except for keys. Do we need to place only certain cert files there or any other cert I am missing which is causing these errors?