<div dir="ltr">err wrong coppy-paste. So using openssl the certidicate looks OK. So it seems an error in erlang.<br><br>OpenSSL> s_client -connect <a href="http://airbrake.io:443">airbrake.io:443</a> -CAfile /Users/benoitc/Misc/erlang-certifi/priv/cacerts.pem<br>CONNECTED(00000006)<br>depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root<br>verify return:1<br>depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority<br>verify return:1<br>depth=1 C = US, O = SSL.com, OU = <a href="http://www.ssl.com">www.ssl.com</a>, CN = SSL.com DV CA<br>verify return:1<br>depth=0 OU = Domain Control Validated, OU = EssentialSSL Wildcard, CN = *.<a href="http://airbrake.io">airbrake.io</a><br>verify return:1<br>---<br>Certificate chain<br> 0 s:/OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.<a href="http://airbrake.io">airbrake.io</a><br> i:/C=US/O=SSL.com/OU=<a href="http://www.ssl.com/CN=SSL.com">www.ssl.com/CN=SSL.com</a> DV CA<br> 1 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root<br> i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root<br> 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority<br> i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root<br> 3 s:/C=US/O=SSL.com/OU=<a href="http://www.ssl.com/CN=SSL.com">www.ssl.com/CN=SSL.com</a> DV CA<br> i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority<br>---<br>Server certificate<br>-----BEGIN CERTIFICATE-----<br>MIIEwTCCA6mgAwIBAgIRAKLxH0P8s499IyC7Gi9P0e8wDQYJKoZIhvcNAQELBQAw<br>TTELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB1NTTC5jb20xFDASBgNVBAsTC3d3dy5z<br>c2wuY29tMRYwFAYDVQQDEw1TU0wuY29tIERWIENBMB4XDTE2MTEwNDAwMDAwMFoX<br>DTE4MTEyODIzNTk1OVowWzEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRh<br>dGVkMR4wHAYDVQQLExVFc3NlbnRpYWxTU0wgV2lsZGNhcmQxFjAUBgNVBAMMDSou<br>YWlyYnJha2UuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDXWXkQ<br>kM5+hdRdZhWC3G+wjwpSF2GNLzEf27+3CQvZA8J7trZ/JdHTwIt6TPnq4igmE/XA<br>Ej2mOEu2crzO+mVignSSPDItHVB8UenwNphguUskZPSDgVEi5a7rBscFWKkvWMEH<br>W6vhbrpur+G1j0awhTn6hh++DYUUUl03hUPh6qNN+GQ/wPn+Tbgzw3obX4sE7Iel<br>UePxeMpzv4rG9nZznStoXYlRFws3BaL8wTkL3G8wLVJndlIKTzMdfDCinvGpkV85<br>rdfm7UfsvFCdYKosOpbt5iRCJGTJvckFX4ih2MAC8mMP+bwzrNrNkPjuY8To+pVC<br>F2rNvjRWJn+yTDdVAgMBAAGjggGMMIIBiDAfBgNVHSMEGDAWgBRGmv38UV58VFNS<br>4pnjszLvkxp/VjAdBgNVHQ4EFgQUkQAJSPUocFTrnPm4af+i76JscKkwDgYDVR0P<br>AQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG<br>AQUFBwMCMEoGA1UdIARDMEEwNQYKKwYBBAGCqTABATAnMCUGCCsGAQUFBwIBFhlo<br>dHRwczovL2Nwcy51c2VydHJ1c3QuY29tMAgGBmeBDAECATA0BgNVHR8ELTArMCmg<br>J6AlhiNodHRwOi8vY3JsLnNzbC5jb20vU1NMY29tRFZDQV8yLmNybDBgBggrBgEF<br>BQcBAQRUMFIwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jcnQuc3NsLmNvbS9TU0xjb21E<br>VkNBXzIuY3J0MB8GCCsGAQUFBzABhhNodHRwOi8vb2NzcC5zc2wuY29tMCUGA1Ud<br>EQQeMByCDSouYWlyYnJha2UuaW+CC2FpcmJyYWtlLmlvMA0GCSqGSIb3DQEBCwUA<br>A4IBAQBWDuO6czF5/CGPCuySdo9UGy7/Rj/oONzEPSJJcRZ1o6ix+RV7+dQBNBO0<br>SPuAkgH4k/Qbs75htpduWq+5hIfgYwSWvTW+2kcEZKgkPrg53n7cMT10MTg7I7oS<br>qNvIpNh+2e6JwaFnM9pYSOSx01zh2HnCi8l+AQmVRdhxVDgOT+9SNcLC3+j/IuY6<br>iGnse7X4Q3diIMNxtPTdqfPsewLuWH7RJutwuLTIP5qL1R+AH0RmOGeX2K16rPLr<br>1GczOm5WnRyikYMjGW6llzS7RXgPfvdeU8mt4wK7fvZ9chMLNR7fpmEsWoejmN5P<br>nqzjN5AKKgED5AjJ+DNtKzzEJqW0<br>-----END CERTIFICATE-----<br>subject=/OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.<a href="http://airbrake.io">airbrake.io</a><br>issuer=/C=US/O=SSL.com/OU=<a href="http://www.ssl.com/CN=SSL.com">www.ssl.com/CN=SSL.com</a> DV CA<br>---<br>No client certificate CA names sent<br>---<br>SSL handshake has read 5736 bytes and written 444 bytes<br>---<br>New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256<br>Server public key is 2048 bit<br>Secure Renegotiation IS supported<br>Compression: NONE<br>Expansion: NONE<br>No ALPN negotiated<br>SSL-Session:<br> Protocol : TLSv1.2<br> Cipher : ECDHE-RSA-AES128-GCM-SHA256<br> Session-ID: 2CA3877657CF653D2885B34218AC09ECA30A9E125AC0556D749E359F3A6822F7<br> Session-ID-ctx: <br> Master-Key: 2D3A255FF47D44AAD4CA06024149B9538819A0C832426B69B83EFE76E5404BC87790360A2F4FFC9933DB76816555C6B1<br> Start Time: 1522613874<br> Timeout : 300 (sec)<br> Verify return code: 0 (ok)<br>---<br><br>HTTP/1.0 408 Request Time-out<br>Cache-Control: no-cache<br>Connection: close<br>Content-Type: text/html<br><br><html><body><h1>408 Request Time-out</h1><br>Your browser didn't send a complete request in time.<br></body></html><br>closed<br><br><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Apr 1, 2018 at 10:06 PM, Benoit Chesneau <span dir="ltr"><<a href="mailto:bchesneau@gmail.com" target="_blank">bchesneau@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>heh OK, no problem :)<br><br></div>To be complete the chain retuned by openssl is : <br><br>OpenSSL> s_client -connect <a href="http://airbrake.io:443" target="_blank">airbrake.io:443</a> -showcerts<br>CONNECTED(00000006)<br>depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root<br>verify error:num=19:self signed certificate in certificate chain<br>verify return:0<br>---<br>Certificate chain<br> 0 s:/OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.<a href="http://airbrake.io" target="_blank">airbrake.io</a><br> i:/C=US/O=SSL.com/OU=<a href="http://www.ssl.com/CN=SSL.com" target="_blank">www.ssl.<wbr>com/CN=SSL.com</a> DV CA<br>-----BEGIN CERTIFICATE-----<br>MIIEwTCCA6mgAwIBAgIRAKLxH0P8s4<wbr>99IyC7Gi9P0e8wDQYJKoZIhvcNAQEL<wbr>BQAw<br>TTELMAkGA1UEBhMCVVMxEDAOBgNVBA<wbr>oTB1NTTC5jb20xFDASBgNVBAsTC3d3<wbr>dy5z<br>c2wuY29tMRYwFAYDVQQDEw1TU0wuY2<wbr>9tIERWIENBMB4XDTE2MTEwNDAwMDAw<wbr>MFoX<br>DTE4MTEyODIzNTk1OVowWzEhMB8GA1<wbr>UECxMYRG9tYWluIENvbnRyb2wgVmFs<wbr>aWRh<br>dGVkMR4wHAYDVQQLExVFc3NlbnRpYW<wbr>xTU0wgV2lsZGNhcmQxFjAUBgNVBAMM<wbr>DSou<br>YWlyYnJha2UuaW8wggEiMA0GCSqGSI<wbr>b3DQEBAQUAA4IBDwAwggEKAoIBAQDX<wbr>WXkQ<br>kM5+hdRdZhWC3G+<wbr>wjwpSF2GNLzEf27+3CQvZA8J7trZ/<wbr>JdHTwIt6TPnq4igmE/XA<br>Ej2mOEu2crzO+<wbr>mVignSSPDItHVB8UenwNphguUskZPS<wbr>DgVEi5a7rBscFWKkvWMEH<br>W6vhbrpur+G1j0awhTn6hh++<wbr>DYUUUl03hUPh6qNN+GQ/wPn+<wbr>Tbgzw3obX4sE7Iel<br>UePxeMpzv4rG9nZznStoXYlRFws3Ba<wbr>L8wTkL3G8wLVJndlIKTzMdfDCinvGp<wbr>kV85<br>rdfm7UfsvFCdYKosOpbt5iRCJGTJvc<wbr>kFX4ih2MAC8mMP+<wbr>bwzrNrNkPjuY8To+pVC<br>F2rNvjRWJn+<wbr>yTDdVAgMBAAGjggGMMIIBiDAfBgNVH<wbr>SMEGDAWgBRGmv38UV58VFNS<br>4pnjszLvkxp/<wbr>VjAdBgNVHQ4EFgQUkQAJSPUocFTrnP<wbr>m4af+i76JscKkwDgYDVR0P<br>AQH/BAQDAgWgMAwGA1UdEwEB/<wbr>wQCMAAwHQYDVR0lBBYwFAYIKwYBBQU<wbr>HAwEGCCsG<br>AQUFBwMCMEoGA1UdIARDMEEwNQYKKw<wbr>YBBAGCqTABATAnMCUGCCsGAQUFBwIB<wbr>Fhlo<br>dHRwczovL2Nwcy51c2VydHJ1c3QuY2<wbr>9tMAgGBmeBDAECATA0BgNVHR8ELTAr<wbr>MCmg<br>J6AlhiNodHRwOi8vY3JsLnNzbC5jb2<wbr>0vU1NMY29tRFZDQV8yLmNybDBgBggr<wbr>BgEF<br>BQcBAQRUMFIwLwYIKwYBBQUHMAKGI2<wbr>h0dHA6Ly9jcnQuc3NsLmNvbS9TU0xj<wbr>b21E<br>VkNBXzIuY3J0MB8GCCsGAQUFBzABhh<wbr>NodHRwOi8vb2NzcC5zc2wuY29tMCUG<wbr>A1Ud<br>EQQeMByCDSouYWlyYnJha2UuaW+<wbr>CC2FpcmJyYWtlLmlvMA0GCSqGSIb3D<wbr>QEBCwUA<br>A4IBAQBWDuO6czF5/<wbr>CGPCuySdo9UGy7/Rj/<wbr>oONzEPSJJcRZ1o6ix+RV7+dQBNBO0<br>SPuAkgH4k/Qbs75htpduWq+<wbr>5hIfgYwSWvTW+<wbr>2kcEZKgkPrg53n7cMT10MTg7I7oS<br>qNvIpNh+<wbr>2e6JwaFnM9pYSOSx01zh2HnCi8l+<wbr>AQmVRdhxVDgOT+9SNcLC3+j/IuY6<br>iGnse7X4Q3diIMNxtPTdqfPsewLuWH<wbr>7RJutwuLTIP5qL1R+<wbr>AH0RmOGeX2K16rPLr<br>1GczOm5WnRyikYMjGW6llzS7RXgPfv<wbr>deU8mt4wK7fvZ9chMLNR7fpmEsWoej<wbr>mN5P<br>nqzjN5AKKgED5AjJ+DNtKzzEJqW0<br>-----END CERTIFICATE-----<br> 1 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root<br> i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root<br>-----BEGIN CERTIFICATE-----<br>MIIENjCCAx6gAwIBAgIBATANBgkqhk<wbr>iG9w0BAQUFADBvMQswCQYDVQQGEwJT<wbr>RTEU<br>MBIGA1UEChMLQWRkVHJ1c3QgQUIxJj<wbr>AkBgNVBAsTHUFkZFRydXN0IEV4dGVy<wbr>bmFs<br>IFRUUCBOZXR3b3JrMSIwIAYDVQQDEx<wbr>lBZGRUcnVzdCBFeHRlcm5hbCBDQSBS<wbr>b290<br>MB4XDTAwMDUzMDEwNDgzOFoXDTIwMD<wbr>UzMDEwNDgzOFowbzELMAkGA1UEBhMC<wbr>U0Ux<br>FDASBgNVBAoTC0FkZFRydXN0IEFCMS<wbr>YwJAYDVQQLEx1BZGRUcnVzdCBFeHRl<wbr>cm5h<br>bCBUVFAgTmV0d29yazEiMCAGA1UEAx<wbr>MZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0Eg<wbr>Um9v<br>dDCCASIwDQYJKoZIhvcNAQEBBQADgg<wbr>EPADCCAQoCggEBALf3GjPm8gAELTng<wbr>Tlvt<br>H7xsD821+<wbr>iO2zt6bETOXpClMfZOfvUq8k+<wbr>0DGuOPz+VtUFrWlymUWoCwSXrbLpX9<br>uMq/NzgtHj6RQa1wVsfwTz/<wbr>oMp50ysiQVOnGXw94nZpAPA6sYapeF<wbr>I+eh6FqUNzX<br>mk6vBbOmcZSccbNQYArHE504B4YCqO<wbr>moaSYYkKtMsE8jqzpPhNjfzp/haW+<wbr>710LX<br>a0Tkx63ubUFfclpxCDezeWWkWaCUN/<wbr>cALw3CknLa0Dhy2xSoRcRdKn23tNbE<wbr>7qzN<br>E0S3ySvdQwAl+<wbr>mG5aWpYIxG3pzOPVnVZ9c0p10a3Cit<wbr>lttNCbxWyuHv77+ldU9U0<br>WicCAwEAAaOB3DCB2TAdBgNVHQ4EFg<wbr>QUrb2YejS0Jvf6xCZU7wO94CTLVBow<wbr>CwYD<br>VR0PBAQDAgEGMA8GA1UdEwEB/<wbr>wQFMAMBAf8wgZkGA1UdIwSBkTCBjoA<wbr>Urb2YejS0<br>Jvf6xCZU7wO94CTLVBqhc6RxMG8xCz<wbr>AJBgNVBAYTAlNFMRQwEgYDVQQKEwtB<wbr>ZGRU<br>cnVzdCBBQjEmMCQGA1UECxMdQWRkVH<wbr>J1c3QgRXh0ZXJuYWwgVFRQIE5ldHdv<wbr>cmsx<br>IjAgBgNVBAMTGUFkZFRydXN0IEV4dG<wbr>VybmFsIENBIFJvb3SCAQEwDQYJKoZI<wbr>hvcN<br>AQEFBQADggEBALCb4IUlwtYj4g+<wbr>WBpKdQZic2YR5gdkeWxQHIzZlj7DYd<wbr>7usQWxH<br>YINRsPkyPef89iYTx4AWpb9a/<wbr>IfPeHmJIZriTAcKhjW88t5RxNKWt9x<wbr>+Tu5w/Rw5<br>6wwCURQtjr0W4MHfRnXnJK3s9EK0hZ<wbr>NwEGe6nQY1ShjTK3rMUUKhemPR5ruh<wbr>xSvC<br>Nr4TDea9Y355e6cJDUCrat2PisP29o<wbr>waQgVR1EX1n6diIWgVIEM8med8vSTY<wbr>qZEX<br>c4g/VhsxOBi0cQ+azcgOno4uG+<wbr>GMmIPLHzHxREzGBHNJdmAPx/<wbr>i9F4BrLunMTA5a<br>mnkPIAou1Z5jJh5VkpTYghdae9C8x4<wbr>9OhgQ=<br>-----END CERTIFICATE-----<br> 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority<br> i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root<br>-----BEGIN CERTIFICATE-----<br>MIIFdzCCBF+gAwIBAgIQE+<wbr>oocFv07O0MNmMJgGFDNjANBgkqhkiG<wbr>9w0BAQwFADBv<br>MQswCQYDVQQGEwJTRTEUMBIGA1UECh<wbr>MLQWRkVHJ1c3QgQUIxJjAkBgNVBAsT<wbr>HUFk<br>ZFRydXN0IEV4dGVybmFsIFRUUCBOZX<wbr>R3b3JrMSIwIAYDVQQDExlBZGRUcnVz<wbr>dCBF<br>eHRlcm5hbCBDQSBSb290MB4XDTAwMD<wbr>UzMDEwNDgzOFoXDTIwMDUzMDEwNDgz<wbr>OFow<br>gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQ<wbr>QIEwpOZXcgSmVyc2V5MRQwEgYDVQQH<wbr>EwtK<br>ZXJzZXkgQ2l0eTEeMBwGA1UEChMVVG<wbr>hlIFVTRVJUUlVTVCBOZXR3b3JrMS4w<wbr>LAYD<br>VQQDEyVVU0VSVHJ1c3QgUlNBIENlcn<wbr>RpZmljYXRpb24gQXV0aG9yaXR5MIIC<wbr>IjAN<br>BgkqhkiG9w0BAQEFAAOCAg8AMIICCg<wbr>KCAgEAgBJlFzYOw9sIs9CsVw127c0n<wbr>00yt<br>UINh4qogTQktZAnczomfzD2p7PbPwd<wbr>zx07HWezcoEStH2jnGvDoZtF+<wbr>mvX2do2NC<br>tnbyqTsrkfjib9DsFiCQCT7i6HTJGL<wbr>SR1GJk23+jBvGIGGqQIjy8/<wbr>hPwhxR79uQf<br>jtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/<wbr>xadGL1RjjWmp2bIcmfbIWax1Jt4A8B<wbr>QOujM<br>8Ny8nkz+rwWWNR9XWrf/<wbr>zvk9tyy29lTdyOcSOk2uTIq3XJq0ty<wbr>A9yn8iNK5+O2hm<br>AUTnAU5GU5szYPeUvlM3kHND8zLDU+<wbr>/<wbr>bqv50TmnHa4xgk97Exwzf4TKuzJM7U<wbr>XiV<br>Z4vuPVb+DNBpDxsP8yUmazNt925H+<wbr>nND5X4OpWaxKXwyhGNVicQNwZNUMBk<wbr>TrNN9<br>N6frXTpsNVzbQdcS2qlJC9/<wbr>YgIoJk2KOtWbPJYjNhLixP6Q5D9kCn<wbr>usSTJV882sF<br>qV4Wg8y4Z+LoE53MW4LTTLPtW//<wbr>e5XOsIzstAL81VXQJSdhJWBp/<wbr>kjbmUZIO8yZ9<br>HE0XvMnsQybQv0FfQKlERPSZ51eHnl<wbr>AfV1SoPv10Yy+<wbr>xUGUJ5lhCLkMaTLTwJUdZ<br>+gQek9QmRkpQgbLevni3/<wbr>GcV4clXhB4PY9bpYrrWX1Uu6lzGKAg<wbr>EJTm4Diup8kyX<br>HAc/<wbr>DVL17e8vgg8CAwEAAaOB9DCB8TAfBg<wbr>NVHSMEGDAWgBStvZh6NLQm9/rEJlTv<br>A73gJMtUGjAdBgNVHQ4EFgQUU3m/<wbr>WqorSs9UgOHYm8Cd8rIDZsswDgYDVR<wbr>0PAQH/<br>BAQDAgGGMA8GA1UdEwEB/<wbr>wQFMAMBAf8wEQYDVR0gBAowCDAGBgR<wbr>VHSAAMEQGA1Ud<br>HwQ9MDswOaA3oDWGM2h0dHA6Ly9jcm<wbr>wudXNlcnRydXN0LmNvbS9BZGRUcnVz<wbr>dEV4<br>dGVybmFsQ0FSb290LmNybDA1BggrBg<wbr>EFBQcBAQQpMCcwJQYIKwYBBQUHMAGG<wbr>GWh0<br>dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb2<wbr>0wDQYJKoZIhvcNAQEMBQADggEBAJNl<wbr>9jeD<br>lQ9ew4IcH9Z35zyKwKoJ8OkLJvHgwm<wbr>p1ocd5yblSYMgpEg7wrQPWCcR23+<wbr>WmgZWn<br>RtqCV6mVksW2jwMibDN3wXsyF24Hzl<wbr>oUQToFJBv2FAY7qCUkDrvMKnXduXBB<wbr>P3zQ<br>YzYhBx9G/<wbr>2CkkeFnvN4ffhkUyWNnkepnB2u0j4v<wbr>AbkN9w6GAbLIevFOFfdyQoaS8<br>Le9Gclc1Bb+<wbr>7RrtubTeZtv8jkpHGbkD4jylW6l/<wbr>VXxRTrPBPYer3IsynVgviuDQf<br>Jtl7GQVoP7o81DgGotPmjw7jtHFtQE<wbr>LFhLRAlSv0ZaBIefYdgWOWnU914Ph8<wbr>5I6p<br>0fKtirOMxyHNwu8=<br>-----END CERTIFICATE-----<br> 3 s:/C=US/O=SSL.com/OU=<a href="http://www.ssl.com/CN=SSL.com" target="_blank">www.ssl.<wbr>com/CN=SSL.com</a> DV CA<br> i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority<br>-----BEGIN CERTIFICATE-----<br>MIIF5jCCA86gAwIBAgIQEQDFvydYwZ<wbr>lp/<wbr>Gjtcp381zANBgkqhkiG9w0BAQwFADC<wbr>B<br>iDELMAkGA1UEBhMCVVMxEzARBgNVBA<wbr>gTCk5ldyBKZXJzZXkxFDASBgNVBAcT<wbr>C0pl<br>cnNleSBDaXR5MR4wHAYDVQQKExVUaG<wbr>UgVVNFUlRSVVNUIE5ldHdvcmsxLjAs<wbr>BgNV<br>BAMTJVVTRVJUcnVzdCBSU0EgQ2VydG<wbr>lmaWNhdGlvbiBBdXRob3JpdHkwHhcN<wbr>MTQw<br>NzA0MDAwMDAwWhcNMjQwNzAzMjM1OT<wbr>U5WjBNMQswCQYDVQQGEwJVUzEQMA4G<wbr>A1UE<br>ChMHU1NMLmNvbTEUMBIGA1UECxMLd3<wbr>d3LnNzbC5jb20xFjAUBgNVBAMTDVNT<wbr>TC5j<br>b20gRFYgQ0EwggEiMA0GCSqGSIb3DQ<wbr>EBAQUAA4IBDwAwggEKAoIBAQDAJEcV<wbr>Y7NR<br>2qmRMLzC17tObKov3Jf1AQLOfZRfCi<wbr>26JM4lYzJoW7uMO6RSwBJeP6pSBYth<wbr>SWLc<br>R+<wbr>zd0bsQW5xKGITX51HYBH3daGWQEJIW<wbr>VfL59cw3qhRsMQ5XP/<wbr>IMZ15BOUxqGRVV<br>7NnCBBVcrWVhrEqSZbM6o61lMBU3sQ<wbr>QlYep/<wbr>Ie3Ce6ca8oWfX5h4hrWtxuRCiBB4<br>EjxMB5KYOKJnQaOLEXaRhgr8cNHhzj<wbr>l2KrKx/tCMtR/9pqy/+dOCKDiQWkg+<wbr>hBoT<br>D/hGc/<wbr>B3x7KfHAbdLJTPrRdJrFnSwMWwPcrW<wbr>GIrrud3w5VxzXBjPAzQn7Dg/hpGB<br>NHEHBwKsLER3AgMBAAGjggGEMIIBgD<wbr>AfBgNVHSMEGDAWgBRTeb9aqitKz1SA<wbr>4dib<br>wJ3ysgNmyzAdBgNVHQ4EFgQURpr9/<wbr>FFefFRTUuKZ47My75Maf1YwDgYDVR0<wbr>PAQH/<br>BAQDAgGGMBIGA1UdEwEB/<wbr>wQIMAYBAf8CAQAwHQYDVR0lBBYwFAY<wbr>IKwYBBQUHAwEG<br>CCsGAQUFBwMCMCEGA1UdIAQaMBgwDA<wbr>YKKwYBBAGCqTABATAIBgZngQwBAgEw<wbr>VQYD<br>VR0fBE4wTDBKoEigRoZEaHR0cDovL2<wbr>NybC50cnVzdC1wcm92aWRlci5jb20v<wbr>VVNF<br>UlRydXN0UlNBQ2VydGlmaWNhdGlvbk<wbr>F1dGhvcml0eS5jcmwwgYAGCCsGAQUF<wbr>BwEB<br>BHQwcjBEBggrBgEFBQcwAoY4aHR0cD<wbr>ovL2NydC50cnVzdC1wcm92aWRlci5j<wbr>b20v<br>VVNFUlRydXN0UlNBQWRkVHJ1c3RDQS<wbr>5jcnQwKgYIKwYBBQUHMAGGHmh0dHA6<wbr>Ly9v<br>Y3NwLnRydXN0LXByb3ZpZGVyLmNvbT<wbr>ANBgkqhkiG9w0BAQwFAAOCAgEAB1RJ<wbr>ZUdF<br>d05ZN1SYdTZsDj9Rq9De097SCCWi0E<wbr>97Ehc2MRQag98VqlZPrC2WM9q+<wbr>C7Z5MvcM<br>1njs15p55YRJbHjjECgiabKEPsx3xX<wbr>H+oTb4kKzQjqMZV5CNC7K+<wbr>5H4OaCtNcFEZ<br>E2vWRI9hunFjTfTJ9VrKjGIwcYz30V<wbr>tdB1vtk0Jaf0lnC4H1GOAdw3IwJgby<wbr>gOeu<br>ACY/<wbr>1RH5U0ai2e9wWXsiADjBtHbiFPEzt5<wbr>Cmu2wag9fPrX663Xs5TqjDNCPAgCLm<br>ijzyrCQmlCaug332cwnYI5dA0Oa/<wbr>eIV6lYZTev143bZWs+<wbr>A6dQhXDJUQzfSvPsQS<br>Pu/<wbr>W3QAkw4vuZ97mVvgzK5LiDWps2N9Fw<wbr>9b5Et4Op+<wbr>cuy27I48fG3bRH0dROJwYs<br>w+MrMc5Sy/<wbr>TOl9a5UUmtq2jEJbEv7xU5x1bvhaFf<wbr>BtxoF36sLLuPf19Aev4n2Y46<br>Fou4Aup1eWVyS+<wbr>XYKiaTGzxL5b4fbwhKItk8NptdrJ26<wbr>YmdCl6cFNaabXHHak24W<br>I0cF4+<wbr>u8ATOxkdFkuLyWusWzfmfIMHX1ZHD3<wbr>giYavooNnupzxnju58Tpc9AsCgyL<br>rRxTbur5AscjOsHHfzeeTqflKtslTv<wbr>J9AvNkPLizR2cMk4+1h+<wbr>6yDBHggsm0bZn0<br>AeY5kXGfjIimFcd00xvjkVn41em3We<wbr>1sghs=<br>-----END CERTIFICATE-----<br>---<br>Server certificate<br>subject=/OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.<a href="http://airbrake.io" target="_blank">airbrake.io</a><br>issuer=/C=US/O=SSL.com/OU=<a href="http://www.ssl.com/CN=SSL.com" target="_blank">www.<wbr>ssl.com/CN=SSL.com</a> DV CA<br>---<br>No client certificate CA names sent<br>---<br>SSL handshake has read 5736 bytes and written 444 bytes<br>---<br>New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256<br>Server public key is 2048 bit<br>Secure Renegotiation IS supported<br>Compression: NONE<br>Expansion: NONE<br>No ALPN negotiated<br>SSL-Session:<br> Protocol : TLSv1.2<br> Cipher : ECDHE-RSA-AES128-GCM-SHA256<br> Session-ID: 62BF8A905F9DF278347423E70D1001<wbr>44AEB17B41C4BEB41FE8BC83512D8A<wbr>E5C7<br> Session-ID-ctx: <br> Master-Key: D3F6811B769DE3E5045BB386AE6CA5<wbr>61C272F44014A3F1DB8F8786B599D1<wbr>1015CE44AF5B8351CDD466EA7A02E7<wbr>64F78A<br> Start Time: 1522613090<br> Timeout : 300 (sec)<br> Verify return code: 0 (ok)<br>---<br>HTTP/1.0 408 Request Time-out<br>Cache-Control: no-cache<br>Connection: close<br>Content-Type: text/html<br><br><html><body><h1>408 Request Time-out</h1><br>Your browser didn't send a complete request in time.<br></body></html><br>closed<br><br></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Apr 1, 2018 at 9:23 PM, Luke Bakken <span dir="ltr"><<a href="mailto:luke@bakken.io" target="_blank">luke@bakken.io</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Oh, never mind, I thought you were responsible for the <a href="http://airbrake.io" rel="noreferrer" target="_blank">airbrake.io</a> cert.<br>
<br>
I have seen the same behavior you report when using different CA<br>
certificate bundles. Using the default OS X bundle usually works,<br>
while recent Mozilla CA bundles don't. I did a bunch of diagnosis but<br>
never came to a definitive conclusion. I'll re-visit what I did and<br>
will see if I can figure out what exactly works and what doesn't.<br>
<span class="m_-3942921641143334649HOEnZb"><font color="#888888"><br>
Luke<br>
</font></span><div class="m_-3942921641143334649HOEnZb"><div class="m_-3942921641143334649h5"><br>
On Sun, Apr 1, 2018 at 12:13 PM, Benoit Chesneau <<a href="mailto:bchesneau@gmail.com" target="_blank">bchesneau@gmail.com</a>> wrote:<br>
> hrm not sure i understand. You mean to the cacerts file or to the cert of<br>
> airbrake? I’m not responsible of the last one.<br>
><br>
> Benoît<br>
><br>
><br>
> On Sunday, April 1, 2018, Luke Bakken <<a href="mailto:luke@bakken.io" target="_blank">luke@bakken.io</a>> wrote:<br>
>><br>
>> Try adding "digitalSignature" to the keyUsage field for the cert.<br>
>><br>
>> Luke<br>
>><br>
>> On Sun, Apr 1, 2018, 10:55 AM Benoit Chesneau <<a href="mailto:bchesneau@gmail.com" target="_blank">bchesneau@gmail.com</a>> wrote:<br>
>>><br>
>>> I'm trying to connect to <a href="http://airbrake.io" rel="noreferrer" target="_blank">airbrake.io</a> via ssl using the certificates<br>
>>> generated by the website mkcert: <a href="https://mkcert.org/" rel="noreferrer" target="_blank">https://mkcert.org/</a> which get the<br>
>>> certificates from Mozilla but I get a "Bad certificat" error on latest<br>
>>> release of erlang:<br>
>>><br>
>>> 9> ssl:connect("<a href="http://airbrake.io" rel="noreferrer" target="_blank">airbrake.io</a>", 443, [{cacertfile, CaCertFile}, {verify,<br>
>>> verify_peer}, {depth, 99}]).<br>
>>><br>
>>> =INFO REPORT==== 1-Apr-2018::19:45:51 ===<br>
>>> TLS client: In state certify at ssl_handshake.erl:1271 generated CLIENT<br>
>>> ALERT: Fatal - Bad Certificate<br>
>>><br>
>>> {error,{tls_alert,"bad certificate"}}<br>
>>><br>
>>><br>
>>> where with google it worked:<br>
>>><br>
>>> 10> ssl:connect("<a href="http://google.com" rel="noreferrer" target="_blank">google.com</a>", 443, [{cacertfile, CaCertFile}, {verify,<br>
>>> verify_peer}, {depth, 99}]).<br>
>>> {ok,{sslsocket,{gen_tcp,#Port<<wbr>0.9355>,tls_connection,<br>
>>> undefined},<br>
>>> <0.224.0>}}<br>
>>><br>
>>><br>
>>><br>
>>> It used to work with previous versions of Erlang, did something changed<br>
>>> in the validation in 20.x?<br>
>>><br>
>>> Also how can I check what is the exact issue in the certificate that<br>
>>> cause this error? According sslabs there are no issue in checking the<br>
>>> certificate:<br>
>>><br>
>>> <a href="https://www.ssllabs.com/ssltest/analyze.html?d=airbrake.io" rel="noreferrer" target="_blank">https://www.ssllabs.com/ssltes<wbr>t/analyze.html?d=airbrake.io</a><br>
>>><br>
>>><br>
>>> ______________________________<wbr>_________________<br>
>>> erlang-questions mailing list<br>
>>> <a href="mailto:erlang-questions@erlang.org" target="_blank">erlang-questions@erlang.org</a><br>
>>> <a href="http://erlang.org/mailman/listinfo/erlang-questions" rel="noreferrer" target="_blank">http://erlang.org/mailman/list<wbr>info/erlang-questions</a><br>
><br>
><br>
><br>
> --<br>
> Sent from my Mobile<br>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>