<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="margin: 0px; font-family: Menlo;" class="">When I tried to check connection with openssl command I’ve got w/o cacert.pem file:</div><div style="margin: 0px; font-family: Menlo;" class=""><br class=""></div><div style="margin: 0px; font-family: Menlo;" class="">$ openssl s_client -connect <a href="http://nicemine.ru" class="">nicemine.ru</a>:443 -verify 99 </div><div style="margin: 0px; font-family: Menlo;" class="">verify depth is 99</div><div style="margin: 0px; font-family: Menlo;" class="">CONNECTED(00000003)</div><div style="margin: 0px; font-family: Menlo;" class="">depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority</div><div style="margin: 0px; font-family: Menlo;" class="">verify error:num=19:self signed certificate in certificate chain</div><div style="margin: 0px; font-family: Menlo;" class="">verify return:1</div><div style="margin: 0px; font-family: Menlo;" class="">depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority</div><div style="margin: 0px; font-family: Menlo;" class="">verify return:1</div><div style="margin: 0px; font-family: Menlo;" class="">depth=1 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA</div><div style="margin: 0px; font-family: Menlo;" class="">verify return:1</div><div style="margin: 0px; font-family: Menlo;" class="">depth=0 /<a href="mailto:C=KZ/CN=www.nicefiles.ru/emailAddress=webmaster@nicefiles.ru" class="">C=KZ/CN=www.nicefiles.ru/emailAddress=webmaster@nicefiles.ru</a></div><div style="margin: 0px; font-family: Menlo;" class="">verify return:1</div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">and with it</div><div class=""><br class=""></div><div class=""><div style="margin: 0px; font-family: Menlo;" class="">$ openssl s_client -connect <a href="http://nicemine.ru" class="">nicemine.ru</a>:443 -verify 99 -CAfile cacert.pem</div><div style="margin: 0px; font-family: Menlo;" class="">verify depth is 99</div><div style="margin: 0px; font-family: Menlo;" class="">CONNECTED(00000003)</div><div style="margin: 0px; font-family: Menlo;" class="">depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority</div><div style="margin: 0px; font-family: Menlo;" class="">verify return:1</div><div style="margin: 0px; font-family: Menlo;" class="">depth=1 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA</div><div style="margin: 0px; font-family: Menlo;" class="">verify return:1</div><div style="margin: 0px; font-family: Menlo;" class="">depth=0 /<a href="mailto:C=KZ/CN=www.nicefiles.ru/emailAddress=webmaster@nicefiles.ru" class="">C=KZ/CN=www.nicefiles.ru/emailAddress=webmaster@nicefiles.ru</a></div><div style="margin: 0px; font-family: Menlo;" class="">verify return:1</div><div style="margin: 0px; font-family: Menlo;" class=""><br class=""></div></div><div style="margin: 0px; font-family: Menlo;" class="">so cacert.pem file contains enough info for StartCom certificates to be checked as valid.</div><div style="margin: 0px; font-family: Menlo;" class=""><br class=""></div><div style="margin: 0px; font-family: Menlo;" class=""><br class=""></div><div style="margin: 0px; font-family: Menlo;" class="">Also I’ve tried to dig it more in erlang and I’ve found that I get error in OTP 18 too.</div><div style="margin: 0px; font-family: Menlo;" class=""><br class=""></div><div style="margin: 0px; font-family: Menlo;" class="">And the reason for bad certificate error is {bad_cert,invalid_issuer}</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">I also tried to add <span style="font-family: Menlo;" class=""><a href="https://www.startssl.com/certs/sub.class1.server.ca.pem" class="">https://www.startssl.com/certs/sub.class1.server.ca.pem</a> file to cacert.pem but with no luck.</span></div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div><blockquote type="cite" class=""><div class="">16 июля 2015 г., в 12:16, Alex Hudich <<a href="mailto:alttagil@gmail.com" class="">alttagil@gmail.com</a>> написал(а):</div><br class="Apple-interchange-newline"><div class="">Hi!<br class=""><br class=""><br class=""><br class="">wget <a href="http://curl.haxx.se/ca/cacert.pem" class="">http://curl.haxx.se/ca/cacert.pem</a><br class=""><br class="">and then <br class=""><br class="">ssl:connect( "<a href="http://www.nicemine.ru" class="">www.nicemine.ru</a>", 443, [{verify,verify_peer},{server_name_indication,"<a href="http://www.nicemine.ru" class="">www.nicemine.ru</a>"},{depth,2},{cacertfile,"cacert.pem"}] ).<br class=""><br class="">gives me {error,{tls_alert,"bad certificate"}}<br class=""><br class=""><br class=""><br class="">Why? Site can be opened ok in the browser.<br class=""><br class="">Erlang/OTP 17 [erts-6.3] <br class=""><br class=""><br class=""></div></blockquote></div><br class=""></body></html>