Unknown CA when attempting to perform mix local.hex on Windows

Running mix local.hex fails with “Unknown CA”:

> mix local.hex
** (Mix) httpc request failed with: {:failed_connect, [{:to_address, {~c"builds.hex.pm", 443}}, {:inet, [:inet], {:tls_alert, {:unknown_ca, ~c"TLS client: In state wait_cert_cr at ssl_handshake.erl:2138 generated CLIENT ALERT: Fatal - Unknown CA\n"}}}]}

Could not install Hex because Mix could not download metadata at https://builds.hex.pm/installs/hex-1.x.csv.

Alternatively, you can compile and install Hex directly with this command:

    $ mix archive.install github hexpm/hex branch latest

I can download https://builds.hex.pm/installs/hex-1.x.csv from a web browser find; the TLS cert validates as expected.

Does anyone know why this is happening and how I might be able to fix it?

I’m running:

  • Elixir 1.15.6 (compiled with Erlang/OTP 26)
  • OTP 26.1

The problem seems to affect multiple versions of Windows, I’ve tested 11 and 10 so far.

1 Like

You might find some answers here: Fallen at the first hurdle: [notice] TLS :client: In state :certify at ssl_handshake.erl:2082 generated CLIENT ALERT: Fatal - Unknown CA

1 Like

Thanks that put me on the right track!

I have now fixed the issue by manually importing the Let’s Encrypt root CA cert from Chain of Trust - Let's Encrypt.

1 Like

This is very suspect. We shouldn’t need to install a LetsEncrypt root CA.

1 Like

I get these errors as well occasionally with very established domains like the Irish government or universities. I just posted this. I’m switching to curl for http.