Authenticity is not established by certificate path validation

[LukaszJagielski]

Hi

When using certstream-server i got errors:

10:18:54.900 [warn]  Description: 'Authenticity is not established by certificate path validation'                    
     Reason: 'Option {verify, verify_peer} and cacertfile/cacerts is missing'                                         
                                                                                                                      
                                                                                                                      
10:18:54.901 [warn]  Description: 'Authenticity is not established by certificate path validation'                    
     Reason: 'Option {verify, verify_peer} and cacertfile/cacerts is missing'                                         
                                                                                                                      
                                                                                                                      
10:18:54.901 [warn]  Description: 'Authenticity is not established by certificate path validation'                    
     Reason: 'Option {verify, verify_peer} and cacertfile/cacerts is missing'                                         
                                                                                                                      
                                                                                                                      
10:18:54.901 [warn]  Description: 'Authenticity is not established by certificate path validation'                    
     Reason: 'Option {verify, verify_peer} and cacertfile/cacerts is missing'                                         
                                                                                                                      
                                                                                                                      
10:18:54.901 [warn]  Description: 'Authenticity is not established by certificate path validation'                    
     Reason: 'Option {verify, verify_peer} and cacertfile/cacerts is missing'

I installed erlang-dev instead esl-erlang, because esl-erlang can't be install on debian. I don't know if this is normal problem or I missed something.

[nikAizuddin]

I'm having the same issues too with Ubuntu 22.04. But no issues on AlmaLinux 8.5

[mzpqnxow]

You can use this to make the warning go away- it's not the "proper" solution, but it will work

diff --git a/lib/certstream/ct_watcher.ex b/lib/certstream/ct_watcher.ex
index 596f804..a57270b 100644
--- a/lib/certstream/ct_watcher.ex
+++ b/lib/certstream/ct_watcher.ex
@@ -9,7 +9,7 @@ defmodule Certstream.CTWatcher do
   use GenServer
   use Instruments
 
-  @default_http_options [timeout: 10_000, recv_timeout: 10_000, ssl: [{:versions, [:'tlsv1.2']}], follow_redirect: true]
+  @default_http_options [timeout: 10_000, recv_timeout: 10_000, ssl: [{:versions, [:'tlsv1.2']}, verify: :verify_none], follow_redirect: true]
 
   def child_spec(log) do
     %{

[Fitblip]

This likely has to do with your operating system certificate setup, I'd be interested if curl or wget work as expected on your systems.

[mzpqnxow]

This likely has to do with your operating system certificate setup, I'd be interested if curl or wget work as expected on your systems.

They do, believe it or not. Unfortunately I patched and rebuilt with that hacky patch without even thinking to strace it to see what cert bundle it was trying to open :/

If I have some time free I will check

[Fitblip]

Interesting! I know erlang/elixir has had quite a few weird bugs in its SSL stack :-/ I wonder if a different erlang/elixir version would sort it (not a great solution obv, but would help you narrow things down a bit)?