[erlang-questions] SSL certificate's subject too long

Loïc Hoguin <>
Wed Jun 27 11:29:06 CEST 2012


On 06/27/2012 11:10 AM, Ingela Andin wrote:
> Hi!
>
> 2012/6/27, Loïc Hoguin <>:
>> On 06/27/2012 09:59 AM, Ingela Andin wrote:
>>> Hi!
>>>
>>> 2012/6/27, Loïc Hoguin <>:
>>>> On 06/25/2012 10:27 PM, Ingela Andin wrote:
>>>>> Hi!
>>>>>
>>>>> 2012/6/25 Loďc Hoguin <>:
>>>>>> Hey,
>>>>>>
>>>>>> I'm running into the exact issue described here:
>>>>>> http://www.mentby.com/Group/rabbitmq-discuss/ssl-certificate-error.html
>>>>>>
>>>>>> The certificate I have has a too long Subject line and Erlang just
>>>>>> fails
>>>>>> when trying to load it. This is a RapidSSL certificate, with a CA. Not
>>>>>> sure
>>>>>> I can just modify the subject directly while keeping it valid (don't
>>>>>> know
>>>>>> how anyway).
>>>>>>
>>>>>> Does anyone know how I could manage to use this certificate? If I need
>>>>>> to
>>>>>> patch OTP, any pointers as to where this fails is more than welcome.
>>>>>>
>>>>>> Thanks.
>>>>>>
>>>>>
>>>>> The ecertfile is a backwards compatibility error code that you will
>>>>> get if ssl has a problem reading the certfile.
>>>>> It could be a file-error or a file-format error, or a bug in OTP
>>>>> application public_key. So if you want to pinpoint the error you can
>>>>> do:
>>>>> {ok, PemBin} = file:read_file("Cert.pem").
>>>>> PemEntries = public_key:pem_decode(Pembin).
>>>>> public_key:pem_entry_decode(hd(PemEntries)).
>>>>
>>>> Getting {'RSAPrivateKey','two-prime', ...
>>>>
>>>> All entries decode fine too.
>>>>
>>>> What next?
>>>
>>> All entries, is there more than one certificate entry?
>>
>> 1 rsa private key entry followed by 3 certificate entries.
>
> Well that is your problem then, currently there is only support for
> one certificate in the certifcate file  (the key can be there but only
> one cert) as there is now algorithm to choose
> a specific cert. The cacert file may of course have many cert entries.

OK that was the issue, but the reason wasn't the one I expected.

I didn't have more than one domain certificate, it seems I just had the 
cacert bundled in the file (and assumed wrong). Separating the two seems 
to make it work, although I'll have to try elsewhere than localhost.

Thanks a lot for the help!

-- 
Loïc Hoguin
Erlang Cowboy
Nine Nines





More information about the erlang-questions mailing list