[erlang-questions] SSL certificate's subject too long

Loïc Hoguin essen@REDACTED
Wed Jun 27 11:29:06 CEST 2012

On 06/27/2012 11:10 AM, Ingela Andin wrote:
> Hi!
> 2012/6/27, Loïc Hoguin <essen@REDACTED>:
>> On 06/27/2012 09:59 AM, Ingela Andin wrote:
>>> Hi!
>>> 2012/6/27, Loïc Hoguin <essen@REDACTED>:
>>>> On 06/25/2012 10:27 PM, Ingela Andin wrote:
>>>>> Hi!
>>>>> 2012/6/25 Loďc Hoguin <essen@REDACTED>:
>>>>>> Hey,
>>>>>> I'm running into the exact issue described here:
>>>>>> http://www.mentby.com/Group/rabbitmq-discuss/ssl-certificate-error.html
>>>>>> The certificate I have has a too long Subject line and Erlang just
>>>>>> fails
>>>>>> when trying to load it. This is a RapidSSL certificate, with a CA. Not
>>>>>> sure
>>>>>> I can just modify the subject directly while keeping it valid (don't
>>>>>> know
>>>>>> how anyway).
>>>>>> Does anyone know how I could manage to use this certificate? If I need
>>>>>> to
>>>>>> patch OTP, any pointers as to where this fails is more than welcome.
>>>>>> Thanks.
>>>>> The ecertfile is a backwards compatibility error code that you will
>>>>> get if ssl has a problem reading the certfile.
>>>>> It could be a file-error or a file-format error, or a bug in OTP
>>>>> application public_key. So if you want to pinpoint the error you can
>>>>> do:
>>>>> {ok, PemBin} = file:read_file("Cert.pem").
>>>>> PemEntries = public_key:pem_decode(Pembin).
>>>>> public_key:pem_entry_decode(hd(PemEntries)).
>>>> Getting {'RSAPrivateKey','two-prime', ...
>>>> All entries decode fine too.
>>>> What next?
>>> All entries, is there more than one certificate entry?
>> 1 rsa private key entry followed by 3 certificate entries.
> Well that is your problem then, currently there is only support for
> one certificate in the certifcate file  (the key can be there but only
> one cert) as there is now algorithm to choose
> a specific cert. The cacert file may of course have many cert entries.

OK that was the issue, but the reason wasn't the one I expected.

I didn't have more than one domain certificate, it seems I just had the 
cacert bundled in the file (and assumed wrong). Separating the two seems 
to make it work, although I'll have to try elsewhere than localhost.

Thanks a lot for the help!

Loïc Hoguin
Erlang Cowboy
Nine Nines

More information about the erlang-questions mailing list