[erlang-questions] SSL: "unknown ca"

Ingela Andin ingela.andin@REDACTED
Fri Jan 30 21:18:02 CET 2015


Hi!

2015-01-30 19:25 GMT+01:00 e@REDACTED <e@REDACTED>:

> Hi, all.
>
> SSL: certify: ssl_alert.erl:92:Fatal error: unknown ca
>
> I know this issue generates thousands of "hits" in google-search
> yet google does not reveal a consistent explanation (not a recipe!)
>
> first of all: Unknown TO WHOM???
>


To the client or server trying to verify its peer certificate.



> secondly: What CA will be considered known?
>
>
The  root CA must be present in the verifiers CA database (cacertfile or
corresponding option for that client/server).



> what properties of CA are required?
> may we assume that "CA" and "a certificate file" are synonyms in the
> current context? otherwise, what is CA and how is it represented?
>
>
Certificates and CA certificates are defined in RFC 5280. The are defined
by as ASN-1 specifications and can normaly be inputed as ASN-1 DER (binary
format) or
as a PEM file (a text file representaion of the "DER-blob").


> and last but not least: Might be this error induced by some lower-level
> reason, unrelated to "CA familiarity", for example unacceptable certificate
> format?
>
>
That would result in a diffrent error.


> My config is:
> {cacertfile, Dir ++ "ca.crt"}   % self-signed
> {certfile, Dir ++ "server.crt"} % signed by ca.crt
> {keyfile, Dir ++ "server.key"}
> % no other options are explicitly specified
>
>
This is only the options of the server. The client needs to have the ca.crt
in its configuration to be able
to verify the servers cert.

Regards Ingela  Erlang/OTP team - Ericsson AB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20150130/30fd60d0/attachment.htm>


More information about the erlang-questions mailing list