<div dir="ltr"><div><div>It seems according ssllabs there is a problem with the chain: "Incorrect order, Contains anchor"  which is probably the root issue:<br><a href="https://github.com/benoitc/hackney/issues/490#issuecomment-377873484" target="_blank">https://github.com/benoitc/<wbr>hackney/issues/490#<wbr>issuecomment-377873484</a><br><br></div>I'm now wondering if there is any possibility to fix it in recent Erlang versions. Did anyone already encounter such issue?<br><br></div>- benoit<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Apr 1, 2018 at 10:19 PM, Benoit Chesneau <span dir="ltr"><<a href="mailto:bchesneau@gmail.com" target="_blank">bchesneau@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">err wrong coppy-paste. So using openssl the certidicate looks OK. So it seems an error in erlang.<br><br>OpenSSL> s_client -connect <a href="http://airbrake.io:443" target="_blank">airbrake.io:443</a>  -CAfile /Users/benoitc/Misc/erlang-<wbr>certifi/priv/cacerts.pem<span class=""><br>CONNECTED(00000006)<br>depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root<br></span>verify return:1<br>depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority<br>verify return:1<br>depth=1 C = US, O = SSL.com, OU = <a href="http://www.ssl.com" target="_blank">www.ssl.com</a>, CN = SSL.com DV CA<br>verify return:1<br>depth=0 OU = Domain Control Validated, OU = EssentialSSL Wildcard, CN = *.<a href="http://airbrake.io" target="_blank">airbrake.io</a><br>verify return:1<span class=""><br>---<br>Certificate chain<br> 0 s:/OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.<a href="http://airbrake.io" target="_blank">airbrake.io</a><br>   i:/C=US/O=SSL.com/OU=<a href="http://www.ssl.com/CN=SSL.com" target="_blank">www.ssl.<wbr>com/CN=SSL.com</a> DV CA<br></span><span class=""> 1 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root<br>   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root<br></span><span class=""> 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority<br>   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root<br></span><span class=""> 3 s:/C=US/O=SSL.com/OU=<a href="http://www.ssl.com/CN=SSL.com" target="_blank">www.ssl.<wbr>com/CN=SSL.com</a> DV CA<br>   i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority<br>---<br></span>Server certificate<div><div class="h5"><br>-----BEGIN CERTIFICATE-----<br>MIIEwTCCA6mgAwIBAgIRAKLxH0P8s4<wbr>99IyC7Gi9P0e8wDQYJKoZIhvcNAQEL<wbr>BQAw<br>TTELMAkGA1UEBhMCVVMxEDAOBgNVBA<wbr>oTB1NTTC5jb20xFDASBgNVBAsTC3d3<wbr>dy5z<br>c2wuY29tMRYwFAYDVQQDEw1TU0wuY2<wbr>9tIERWIENBMB4XDTE2MTEwNDAwMDAw<wbr>MFoX<br>DTE4MTEyODIzNTk1OVowWzEhMB8GA1<wbr>UECxMYRG9tYWluIENvbnRyb2wgVmFs<wbr>aWRh<br>dGVkMR4wHAYDVQQLExVFc3NlbnRpYW<wbr>xTU0wgV2lsZGNhcmQxFjAUBgNVBAMM<wbr>DSou<br>YWlyYnJha2UuaW8wggEiMA0GCSqGSI<wbr>b3DQEBAQUAA4IBDwAwggEKAoIBAQDX<wbr>WXkQ<br>kM5+hdRdZhWC3G+<wbr>wjwpSF2GNLzEf27+3CQvZA8J7trZ/<wbr>JdHTwIt6TPnq4igmE/XA<br>Ej2mOEu2crzO+<wbr>mVignSSPDItHVB8UenwNphguUskZPS<wbr>DgVEi5a7rBscFWKkvWMEH<br>W6vhbrpur+G1j0awhTn6hh++<wbr>DYUUUl03hUPh6qNN+GQ/wPn+<wbr>Tbgzw3obX4sE7Iel<br>UePxeMpzv4rG9nZznStoXYlRFws3Ba<wbr>L8wTkL3G8wLVJndlIKTzMdfDCinvGp<wbr>kV85<br>rdfm7UfsvFCdYKosOpbt5iRCJGTJvc<wbr>kFX4ih2MAC8mMP+<wbr>bwzrNrNkPjuY8To+pVC<br>F2rNvjRWJn+<wbr>yTDdVAgMBAAGjggGMMIIBiDAfBgNVH<wbr>SMEGDAWgBRGmv38UV58VFNS<br>4pnjszLvkxp/<wbr>VjAdBgNVHQ4EFgQUkQAJSPUocFTrnP<wbr>m4af+i76JscKkwDgYDVR0P<br>AQH/BAQDAgWgMAwGA1UdEwEB/<wbr>wQCMAAwHQYDVR0lBBYwFAYIKwYBBQU<wbr>HAwEGCCsG<br>AQUFBwMCMEoGA1UdIARDMEEwNQYKKw<wbr>YBBAGCqTABATAnMCUGCCsGAQUFBwIB<wbr>Fhlo<br>dHRwczovL2Nwcy51c2VydHJ1c3QuY2<wbr>9tMAgGBmeBDAECATA0BgNVHR8ELTAr<wbr>MCmg<br>J6AlhiNodHRwOi8vY3JsLnNzbC5jb2<wbr>0vU1NMY29tRFZDQV8yLmNybDBgBggr<wbr>BgEF<br>BQcBAQRUMFIwLwYIKwYBBQUHMAKGI2<wbr>h0dHA6Ly9jcnQuc3NsLmNvbS9TU0xj<wbr>b21E<br>VkNBXzIuY3J0MB8GCCsGAQUFBzABhh<wbr>NodHRwOi8vb2NzcC5zc2wuY29tMCUG<wbr>A1Ud<br>EQQeMByCDSouYWlyYnJha2UuaW+<wbr>CC2FpcmJyYWtlLmlvMA0GCSqGSIb3D<wbr>QEBCwUA<br>A4IBAQBWDuO6czF5/<wbr>CGPCuySdo9UGy7/Rj/<wbr>oONzEPSJJcRZ1o6ix+RV7+dQBNBO0<br>SPuAkgH4k/Qbs75htpduWq+<wbr>5hIfgYwSWvTW+<wbr>2kcEZKgkPrg53n7cMT10MTg7I7oS<br>qNvIpNh+<wbr>2e6JwaFnM9pYSOSx01zh2HnCi8l+<wbr>AQmVRdhxVDgOT+9SNcLC3+j/IuY6<br>iGnse7X4Q3diIMNxtPTdqfPsewLuWH<wbr>7RJutwuLTIP5qL1R+<wbr>AH0RmOGeX2K16rPLr<br>1GczOm5WnRyikYMjGW6llzS7RXgPfv<wbr>deU8mt4wK7fvZ9chMLNR7fpmEsWoej<wbr>mN5P<br>nqzjN5AKKgED5AjJ+DNtKzzEJqW0<br>-----END CERTIFICATE-----<br></div></div><span class="">subject=/OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.<a href="http://airbrake.io" target="_blank">airbrake.io</a><br>issuer=/C=US/O=SSL.com/OU=<a href="http://www.ssl.com/CN=SSL.com" target="_blank">www.<wbr>ssl.com/CN=SSL.com</a> DV CA<br>---<br>No client certificate CA names sent<br>---<br>SSL handshake has read 5736 bytes and written 444 bytes<br>---<br>New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256<br>Server public key is 2048 bit<br>Secure Renegotiation IS supported<br>Compression: NONE<br>Expansion: NONE<br>No ALPN negotiated<br>SSL-Session:<br>    Protocol  : TLSv1.2<br>    Cipher    : ECDHE-RSA-AES128-GCM-SHA256<br></span>    Session-ID: 2CA3877657CF653D2885B34218AC09<wbr>ECA30A9E125AC0556D749E359F3A68<wbr>22F7<br>    Session-ID-ctx: <br>    Master-Key: 2D3A255FF47D44AAD4CA06024149B9<wbr>538819A0C832426B69B83EFE76E540<wbr>4BC87790360A2F4FFC9933DB768165<wbr>55C6B1<br>    Start Time: 1522613874<span class=""><br>    Timeout   : 300 (sec)<br>    Verify return code: 0 (ok)<br>---<br><br>HTTP/1.0 408 Request Time-out<br>Cache-Control: no-cache<br>Connection: close<br>Content-Type: text/html<br><br><html><body><h1>408 Request Time-out</h1><br>Your browser didn't send a complete request in time.<br></body></html><br>closed<br><br><br></span></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Apr 1, 2018 at 10:06 PM, Benoit Chesneau <span dir="ltr"><<a href="mailto:bchesneau@gmail.com" target="_blank">bchesneau@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>heh OK, no problem :)<br><br></div>To be complete the chain retuned by openssl is : <br><br>OpenSSL> s_client -connect <a href="http://airbrake.io:443" target="_blank">airbrake.io:443</a> -showcerts<br>CONNECTED(00000006)<br>depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root<br>verify error:num=19:self signed certificate in certificate chain<br>verify return:0<br>---<br>Certificate chain<br> 0 s:/OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.<a href="http://airbrake.io" target="_blank">airbrake.io</a><br>   i:/C=US/O=SSL.com/OU=<a href="http://www.ssl.com/CN=SSL.com" target="_blank">www.ssl.c<wbr>om/CN=SSL.com</a> DV CA<br>-----BEGIN CERTIFICATE-----<br>MIIEwTCCA6mgAwIBAgIRAKLxH0P8s4<wbr>99IyC7Gi9P0e8wDQYJKoZIhvcNAQEL<wbr>BQAw<br>TTELMAkGA1UEBhMCVVMxEDAOBgNVBA<wbr>oTB1NTTC5jb20xFDASBgNVBAsTC3d3<wbr>dy5z<br>c2wuY29tMRYwFAYDVQQDEw1TU0wuY2<wbr>9tIERWIENBMB4XDTE2MTEwNDAwMDAw<wbr>MFoX<br>DTE4MTEyODIzNTk1OVowWzEhMB8GA1<wbr>UECxMYRG9tYWluIENvbnRyb2wgVmFs<wbr>aWRh<br>dGVkMR4wHAYDVQQLExVFc3NlbnRpYW<wbr>xTU0wgV2lsZGNhcmQxFjAUBgNVBAMM<wbr>DSou<br>YWlyYnJha2UuaW8wggEiMA0GCSqGSI<wbr>b3DQEBAQUAA4IBDwAwggEKAoIBAQDX<wbr>WXkQ<br>kM5+hdRdZhWC3G+wjwpSF2GNLzEf27<wbr>+3CQvZA8J7trZ/JdHTwIt6TPnq4igm<wbr>E/XA<br>Ej2mOEu2crzO+mVignSSPDItHVB8Ue<wbr>nwNphguUskZPSDgVEi5a7rBscFWKkv<wbr>WMEH<br>W6vhbrpur+G1j0awhTn6hh++DYUUUl<wbr>03hUPh6qNN+GQ/wPn+Tbgzw3obX4sE<wbr>7Iel<br>UePxeMpzv4rG9nZznStoXYlRFws3Ba<wbr>L8wTkL3G8wLVJndlIKTzMdfDCinvGp<wbr>kV85<br>rdfm7UfsvFCdYKosOpbt5iRCJGTJvc<wbr>kFX4ih2MAC8mMP+bwzrNrNkPjuY8To<wbr>+pVC<br>F2rNvjRWJn+yTDdVAgMBAAGjggGMMI<wbr>IBiDAfBgNVHSMEGDAWgBRGmv38UV58<wbr>VFNS<br>4pnjszLvkxp/VjAdBgNVHQ4EFgQUkQ<wbr>AJSPUocFTrnPm4af+<wbr>i76JscKkwDgYDVR0P<br>AQH/BAQDAgWgMAwGA1UdEwEB/wQCMA<wbr>AwHQYDVR0lBBYwFAYIKwYBBQUHAwEG<wbr>CCsG<br>AQUFBwMCMEoGA1UdIARDMEEwNQYKKw<wbr>YBBAGCqTABATAnMCUGCCsGAQUFBwIB<wbr>Fhlo<br>dHRwczovL2Nwcy51c2VydHJ1c3QuY2<wbr>9tMAgGBmeBDAECATA0BgNVHR8ELTAr<wbr>MCmg<br>J6AlhiNodHRwOi8vY3JsLnNzbC5jb2<wbr>0vU1NMY29tRFZDQV8yLmNybDBgBggr<wbr>BgEF<br>BQcBAQRUMFIwLwYIKwYBBQUHMAKGI2<wbr>h0dHA6Ly9jcnQuc3NsLmNvbS9TU0xj<wbr>b21E<br>VkNBXzIuY3J0MB8GCCsGAQUFBzABhh<wbr>NodHRwOi8vb2NzcC5zc2wuY29tMCUG<wbr>A1Ud<br>EQQeMByCDSouYWlyYnJha2UuaW+CC2<wbr>FpcmJyYWtlLmlvMA0GCSqGSIb3DQEB<wbr>CwUA<br>A4IBAQBWDuO6czF5/CGPCuySdo9UGy<wbr>7/Rj/oONzEPSJJcRZ1o6ix+RV7+<wbr>dQBNBO0<br>SPuAkgH4k/Qbs75htpduWq+5hIfgYw<wbr>SWvTW+2kcEZKgkPrg53n7cMT10MTg7<wbr>I7oS<br>qNvIpNh+2e6JwaFnM9pYSOSx01zh2H<wbr>nCi8l+AQmVRdhxVDgOT+9SNcLC3+j/<wbr>IuY6<br>iGnse7X4Q3diIMNxtPTdqfPsewLuWH<wbr>7RJutwuLTIP5qL1R+AH0RmOGeX2K16<wbr>rPLr<br>1GczOm5WnRyikYMjGW6llzS7RXgPfv<wbr>deU8mt4wK7fvZ9chMLNR7fpmEsWoej<wbr>mN5P<br>nqzjN5AKKgED5AjJ+DNtKzzEJqW0<br>-----END CERTIFICATE-----<br> 1 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root<br>   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root<br>-----BEGIN CERTIFICATE-----<br>MIIENjCCAx6gAwIBAgIBATANBgkqhk<wbr>iG9w0BAQUFADBvMQswCQYDVQQGEwJT<wbr>RTEU<br>MBIGA1UEChMLQWRkVHJ1c3QgQUIxJj<wbr>AkBgNVBAsTHUFkZFRydXN0IEV4dGVy<wbr>bmFs<br>IFRUUCBOZXR3b3JrMSIwIAYDVQQDEx<wbr>lBZGRUcnVzdCBFeHRlcm5hbCBDQSBS<wbr>b290<br>MB4XDTAwMDUzMDEwNDgzOFoXDTIwMD<wbr>UzMDEwNDgzOFowbzELMAkGA1UEBhMC<wbr>U0Ux<br>FDASBgNVBAoTC0FkZFRydXN0IEFCMS<wbr>YwJAYDVQQLEx1BZGRUcnVzdCBFeHRl<wbr>cm5h<br>bCBUVFAgTmV0d29yazEiMCAGA1UEAx<wbr>MZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0Eg<wbr>Um9v<br>dDCCASIwDQYJKoZIhvcNAQEBBQADgg<wbr>EPADCCAQoCggEBALf3GjPm8gAELTng<wbr>Tlvt<br>H7xsD821+iO2zt6bETOXpClMfZOfvU<wbr>q8k+0DGuOPz+<wbr>VtUFrWlymUWoCwSXrbLpX9<br>uMq/NzgtHj6RQa1wVsfwTz/oMp50ys<wbr>iQVOnGXw94nZpAPA6sYapeFI+<wbr>eh6FqUNzX<br>mk6vBbOmcZSccbNQYArHE504B4YCqO<wbr>moaSYYkKtMsE8jqzpPhNjfzp/haW+7<wbr>10LX<br>a0Tkx63ubUFfclpxCDezeWWkWaCUN/<wbr>cALw3CknLa0Dhy2xSoRcRdKn23tNbE<wbr>7qzN<br>E0S3ySvdQwAl+mG5aWpYIxG3pzOPVn<wbr>VZ9c0p10a3CitlttNCbxWyuHv77+<wbr>ldU9U0<br>WicCAwEAAaOB3DCB2TAdBgNVHQ4EFg<wbr>QUrb2YejS0Jvf6xCZU7wO94CTLVBow<wbr>CwYD<br>VR0PBAQDAgEGMA8GA1UdEwEB/wQFMA<wbr>MBAf8wgZkGA1UdIwSBkTCBjoAUrb2Y<wbr>ejS0<br>Jvf6xCZU7wO94CTLVBqhc6RxMG8xCz<wbr>AJBgNVBAYTAlNFMRQwEgYDVQQKEwtB<wbr>ZGRU<br>cnVzdCBBQjEmMCQGA1UECxMdQWRkVH<wbr>J1c3QgRXh0ZXJuYWwgVFRQIE5ldHdv<wbr>cmsx<br>IjAgBgNVBAMTGUFkZFRydXN0IEV4dG<wbr>VybmFsIENBIFJvb3SCAQEwDQYJKoZI<wbr>hvcN<br>AQEFBQADggEBALCb4IUlwtYj4g+WBp<wbr>KdQZic2YR5gdkeWxQHIzZlj7DYd7us<wbr>QWxH<br>YINRsPkyPef89iYTx4AWpb9a/IfPeH<wbr>mJIZriTAcKhjW88t5RxNKWt9x+<wbr>Tu5w/Rw5<br>6wwCURQtjr0W4MHfRnXnJK3s9EK0hZ<wbr>NwEGe6nQY1ShjTK3rMUUKhemPR5ruh<wbr>xSvC<br>Nr4TDea9Y355e6cJDUCrat2PisP29o<wbr>waQgVR1EX1n6diIWgVIEM8med8vSTY<wbr>qZEX<br>c4g/VhsxOBi0cQ+azcgOno4uG+GMmI<wbr>PLHzHxREzGBHNJdmAPx/i9F4BrLunM<wbr>TA5a<br>mnkPIAou1Z5jJh5VkpTYghdae9C8x4<wbr>9OhgQ=<br>-----END CERTIFICATE-----<br> 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority<br>   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root<br>-----BEGIN CERTIFICATE-----<br>MIIFdzCCBF+gAwIBAgIQE+oocFv07O<wbr>0MNmMJgGFDNjANBgkqhkiG9w0BAQwF<wbr>ADBv<br>MQswCQYDVQQGEwJTRTEUMBIGA1UECh<wbr>MLQWRkVHJ1c3QgQUIxJjAkBgNVBAsT<wbr>HUFk<br>ZFRydXN0IEV4dGVybmFsIFRUUCBOZX<wbr>R3b3JrMSIwIAYDVQQDExlBZGRUcnVz<wbr>dCBF<br>eHRlcm5hbCBDQSBSb290MB4XDTAwMD<wbr>UzMDEwNDgzOFoXDTIwMDUzMDEwNDgz<wbr>OFow<br>gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQ<wbr>QIEwpOZXcgSmVyc2V5MRQwEgYDVQQH<wbr>EwtK<br>ZXJzZXkgQ2l0eTEeMBwGA1UEChMVVG<wbr>hlIFVTRVJUUlVTVCBOZXR3b3JrMS4w<wbr>LAYD<br>VQQDEyVVU0VSVHJ1c3QgUlNBIENlcn<wbr>RpZmljYXRpb24gQXV0aG9yaXR5MIIC<wbr>IjAN<br>BgkqhkiG9w0BAQEFAAOCAg8AMIICCg<wbr>KCAgEAgBJlFzYOw9sIs9CsVw127c0n<wbr>00yt<br>UINh4qogTQktZAnczomfzD2p7PbPwd<wbr>zx07HWezcoEStH2jnGvDoZtF+mvX2d<wbr>o2NC<br>tnbyqTsrkfjib9DsFiCQCT7i6HTJGL<wbr>SR1GJk23+jBvGIGGqQIjy8/hPwhxR7<wbr>9uQf<br>jtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/x<wbr>adGL1RjjWmp2bIcmfbIWax1Jt4A8BQ<wbr>OujM<br>8Ny8nkz+rwWWNR9XWrf/zvk9tyy29l<wbr>TdyOcSOk2uTIq3XJq0tyA9yn8iNK5+<wbr>O2hm<br>AUTnAU5GU5szYPeUvlM3kHND8zLDU+<wbr>/bqv50TmnHa4xgk97Exwzf4TKuzJM7<wbr>UXiV<br>Z4vuPVb+DNBpDxsP8yUmazNt925H+n<wbr>ND5X4OpWaxKXwyhGNVicQNwZNUMBkT<wbr>rNN9<br>N6frXTpsNVzbQdcS2qlJC9/YgIoJk2<wbr>KOtWbPJYjNhLixP6Q5D9kCnusSTJV8<wbr>82sF<br>qV4Wg8y4Z+LoE53MW4LTTLPtW//e5X<wbr>OsIzstAL81VXQJSdhJWBp/kjbmUZIO<wbr>8yZ9<br>HE0XvMnsQybQv0FfQKlERPSZ51eHnl<wbr>AfV1SoPv10Yy+xUGUJ5lhCLkMaTLTw<wbr>JUdZ<br>+gQek9QmRkpQgbLevni3/GcV4clXhB<wbr>4PY9bpYrrWX1Uu6lzGKAgEJTm4Diup<wbr>8kyX<br>HAc/DVL17e8vgg8CAwEAAaOB9DCB8T<wbr>AfBgNVHSMEGDAWgBStvZh6NLQm9/<wbr>rEJlTv<br>A73gJMtUGjAdBgNVHQ4EFgQUU3m/Wq<wbr>orSs9UgOHYm8Cd8rIDZsswDgYDVR0P<wbr>AQH/<br>BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf<wbr>8wEQYDVR0gBAowCDAGBgRVHSAAMEQG<wbr>A1Ud<br>HwQ9MDswOaA3oDWGM2h0dHA6Ly9jcm<wbr>wudXNlcnRydXN0LmNvbS9BZGRUcnVz<wbr>dEV4<br>dGVybmFsQ0FSb290LmNybDA1BggrBg<wbr>EFBQcBAQQpMCcwJQYIKwYBBQUHMAGG<wbr>GWh0<br>dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb2<wbr>0wDQYJKoZIhvcNAQEMBQADggEBAJNl<wbr>9jeD<br>lQ9ew4IcH9Z35zyKwKoJ8OkLJvHgwm<wbr>p1ocd5yblSYMgpEg7wrQPWCcR23+Wm<wbr>gZWn<br>RtqCV6mVksW2jwMibDN3wXsyF24Hzl<wbr>oUQToFJBv2FAY7qCUkDrvMKnXduXBB<wbr>P3zQ<br>YzYhBx9G/2CkkeFnvN4ffhkUyWNnke<wbr>pnB2u0j4vAbkN9w6GAbLIevFOFfdyQ<wbr>oaS8<br>Le9Gclc1Bb+7RrtubTeZtv8jkpHGbk<wbr>D4jylW6l/VXxRTrPBPYer3IsynVgvi<wbr>uDQf<br>Jtl7GQVoP7o81DgGotPmjw7jtHFtQE<wbr>LFhLRAlSv0ZaBIefYdgWOWnU914Ph8<wbr>5I6p<br>0fKtirOMxyHNwu8=<br>-----END CERTIFICATE-----<br> 3 s:/C=US/O=SSL.com/OU=<a href="http://www.ssl.com/CN=SSL.com" target="_blank">www.ssl.c<wbr>om/CN=SSL.com</a> DV CA<br>   i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority<br>-----BEGIN CERTIFICATE-----<br>MIIF5jCCA86gAwIBAgIQEQDFvydYwZ<wbr>lp/Gjtcp381zANBgkqhkiG9w0BAQwF<wbr>ADCB<br>iDELMAkGA1UEBhMCVVMxEzARBgNVBA<wbr>gTCk5ldyBKZXJzZXkxFDASBgNVBAcT<wbr>C0pl<br>cnNleSBDaXR5MR4wHAYDVQQKExVUaG<wbr>UgVVNFUlRSVVNUIE5ldHdvcmsxLjAs<wbr>BgNV<br>BAMTJVVTRVJUcnVzdCBSU0EgQ2VydG<wbr>lmaWNhdGlvbiBBdXRob3JpdHkwHhcN<wbr>MTQw<br>NzA0MDAwMDAwWhcNMjQwNzAzMjM1OT<wbr>U5WjBNMQswCQYDVQQGEwJVUzEQMA4G<wbr>A1UE<br>ChMHU1NMLmNvbTEUMBIGA1UECxMLd3<wbr>d3LnNzbC5jb20xFjAUBgNVBAMTDVNT<wbr>TC5j<br>b20gRFYgQ0EwggEiMA0GCSqGSIb3DQ<wbr>EBAQUAA4IBDwAwggEKAoIBAQDAJEcV<wbr>Y7NR<br>2qmRMLzC17tObKov3Jf1AQLOfZRfCi<wbr>26JM4lYzJoW7uMO6RSwBJeP6pSBYth<wbr>SWLc<br>R+zd0bsQW5xKGITX51HYBH3daGWQEJ<wbr>IWVfL59cw3qhRsMQ5XP/IMZ15BOUxq<wbr>GRVV<br>7NnCBBVcrWVhrEqSZbM6o61lMBU3sQ<wbr>QlYep/Ie3Ce6ca8oWfX5h4hrWtxuRC<wbr>iBB4<br>EjxMB5KYOKJnQaOLEXaRhgr8cNHhzj<wbr>l2KrKx/tCMtR/9pqy/+dOCKDiQWkg+<wbr>hBoT<br>D/hGc/B3x7KfHAbdLJTPrRdJrFnSwM<wbr>WwPcrWGIrrud3w5VxzXBjPAzQn7Dg/<wbr>hpGB<br>NHEHBwKsLER3AgMBAAGjggGEMIIBgD<wbr>AfBgNVHSMEGDAWgBRTeb9aqitKz1SA<wbr>4dib<br>wJ3ysgNmyzAdBgNVHQ4EFgQURpr9/F<wbr>FefFRTUuKZ47My75Maf1YwDgYDVR0P<wbr>AQH/<br>BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf<wbr>8CAQAwHQYDVR0lBBYwFAYIKwYBBQUH<wbr>AwEG<br>CCsGAQUFBwMCMCEGA1UdIAQaMBgwDA<wbr>YKKwYBBAGCqTABATAIBgZngQwBAgEw<wbr>VQYD<br>VR0fBE4wTDBKoEigRoZEaHR0cDovL2<wbr>NybC50cnVzdC1wcm92aWRlci5jb20v<wbr>VVNF<br>UlRydXN0UlNBQ2VydGlmaWNhdGlvbk<wbr>F1dGhvcml0eS5jcmwwgYAGCCsGAQUF<wbr>BwEB<br>BHQwcjBEBggrBgEFBQcwAoY4aHR0cD<wbr>ovL2NydC50cnVzdC1wcm92aWRlci5j<wbr>b20v<br>VVNFUlRydXN0UlNBQWRkVHJ1c3RDQS<wbr>5jcnQwKgYIKwYBBQUHMAGGHmh0dHA6<wbr>Ly9v<br>Y3NwLnRydXN0LXByb3ZpZGVyLmNvbT<wbr>ANBgkqhkiG9w0BAQwFAAOCAgEAB1RJ<wbr>ZUdF<br>d05ZN1SYdTZsDj9Rq9De097SCCWi0E<wbr>97Ehc2MRQag98VqlZPrC2WM9q+C7Z5<wbr>MvcM<br>1njs15p55YRJbHjjECgiabKEPsx3xX<wbr>H+oTb4kKzQjqMZV5CNC7K+5H4OaCtN<wbr>cFEZ<br>E2vWRI9hunFjTfTJ9VrKjGIwcYz30V<wbr>tdB1vtk0Jaf0lnC4H1GOAdw3IwJgby<wbr>gOeu<br>ACY/1RH5U0ai2e9wWXsiADjBtHbiFP<wbr>Ezt5Cmu2wag9fPrX663Xs5TqjDNCPA<wbr>gCLm<br>ijzyrCQmlCaug332cwnYI5dA0Oa/eI<wbr>V6lYZTev143bZWs+A6dQhXDJUQzfSv<wbr>PsQS<br>Pu/W3QAkw4vuZ97mVvgzK5LiDWps2N<wbr>9Fw9b5Et4Op+cuy27I48fG3bRH0dRO<wbr>JwYs<br>w+MrMc5Sy/TOl9a5UUmtq2jEJbEv7x<wbr>U5x1bvhaFfBtxoF36sLLuPf19Aev4n<wbr>2Y46<br>Fou4Aup1eWVyS+XYKiaTGzxL5b4fbw<wbr>hKItk8NptdrJ26YmdCl6cFNaabXHHa<wbr>k24W<br>I0cF4+u8ATOxkdFkuLyWusWzfmfIMH<wbr>X1ZHD3giYavooNnupzxnju58Tpc9As<wbr>CgyL<br>rRxTbur5AscjOsHHfzeeTqflKtslTv<wbr>J9AvNkPLizR2cMk4+1h+6yDBHggsm0<wbr>bZn0<br>AeY5kXGfjIimFcd00xvjkVn41em3We<wbr>1sghs=<br>-----END CERTIFICATE-----<br>---<br>Server certificate<br>subject=/OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.<a href="http://airbrake.io" target="_blank">airbrake.io</a><br>issuer=/C=US/O=SSL.com/OU=<a href="http://www.ssl.com/CN=SSL.com" target="_blank">www.<wbr>ssl.com/CN=SSL.com</a> DV CA<br>---<br>No client certificate CA names sent<br>---<br>SSL handshake has read 5736 bytes and written 444 bytes<br>---<br>New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256<br>Server public key is 2048 bit<br>Secure Renegotiation IS supported<br>Compression: NONE<br>Expansion: NONE<br>No ALPN negotiated<br>SSL-Session:<br>    Protocol  : TLSv1.2<br>    Cipher    : ECDHE-RSA-AES128-GCM-SHA256<br>    Session-ID: 62BF8A905F9DF278347423E70D1001<wbr>44AEB17B41C4BEB41FE8BC83512D8A<wbr>E5C7<br>    Session-ID-ctx: <br>    Master-Key: D3F6811B769DE3E5045BB386AE6CA5<wbr>61C272F44014A3F1DB8F8786B599D1<wbr>1015CE44AF5B8351CDD466EA7A02E7<wbr>64F78A<br>    Start Time: 1522613090<br>    Timeout   : 300 (sec)<br>    Verify return code: 0 (ok)<br>---<br>HTTP/1.0 408 Request Time-out<br>Cache-Control: no-cache<br>Connection: close<br>Content-Type: text/html<br><br><html><body><h1>408 Request Time-out</h1><br>Your browser didn't send a complete request in time.<br></body></html><br>closed<br><br></div><div class="m_-4470342158448846637HOEnZb"><div class="m_-4470342158448846637h5"><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Apr 1, 2018 at 9:23 PM, Luke Bakken <span dir="ltr"><<a href="mailto:luke@bakken.io" target="_blank">luke@bakken.io</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Oh, never mind, I thought you were responsible for the <a href="http://airbrake.io" rel="noreferrer" target="_blank">airbrake.io</a> cert.<br>
<br>
I have seen the same behavior you report when using different CA<br>
certificate bundles. Using the default OS X bundle usually works,<br>
while recent Mozilla CA bundles don't. I did a bunch of diagnosis but<br>
never came to a definitive conclusion. I'll re-visit what I did and<br>
will see if I can figure out what exactly works and what doesn't.<br>
<span class="m_-4470342158448846637m_-3942921641143334649HOEnZb"><font color="#888888"><br>
Luke<br>
</font></span><div class="m_-4470342158448846637m_-3942921641143334649HOEnZb"><div class="m_-4470342158448846637m_-3942921641143334649h5"><br>
On Sun, Apr 1, 2018 at 12:13 PM, Benoit Chesneau <<a href="mailto:bchesneau@gmail.com" target="_blank">bchesneau@gmail.com</a>> wrote:<br>
> hrm not sure i understand. You mean to the cacerts file or to the cert of<br>
> airbrake? I’m not responsible of the last one.<br>
><br>
> Benoît<br>
><br>
><br>
> On Sunday, April 1, 2018, Luke Bakken <<a href="mailto:luke@bakken.io" target="_blank">luke@bakken.io</a>> wrote:<br>
>><br>
>> Try adding "digitalSignature" to the keyUsage field for the cert.<br>
>><br>
>> Luke<br>
>><br>
>> On Sun, Apr 1, 2018, 10:55 AM Benoit Chesneau <<a href="mailto:bchesneau@gmail.com" target="_blank">bchesneau@gmail.com</a>> wrote:<br>
>>><br>
>>> I'm trying to connect to <a href="http://airbrake.io" rel="noreferrer" target="_blank">airbrake.io</a> via ssl using the certificates<br>
>>> generated by the website mkcert: <a href="https://mkcert.org/" rel="noreferrer" target="_blank">https://mkcert.org/</a> which get the<br>
>>> certificates from Mozilla but I get a "Bad certificat" error on latest<br>
>>> release of erlang:<br>
>>><br>
>>> 9> ssl:connect("<a href="http://airbrake.io" rel="noreferrer" target="_blank">airbrake.io</a>", 443, [{cacertfile, CaCertFile}, {verify,<br>
>>> verify_peer}, {depth, 99}]).<br>
>>><br>
>>> =INFO REPORT==== 1-Apr-2018::19:45:51 ===<br>
>>> TLS client: In state certify at ssl_handshake.erl:1271 generated CLIENT<br>
>>> ALERT: Fatal - Bad Certificate<br>
>>><br>
>>> {error,{tls_alert,"bad certificate"}}<br>
>>><br>
>>><br>
>>> where with google it worked:<br>
>>><br>
>>> 10> ssl:connect("<a href="http://google.com" rel="noreferrer" target="_blank">google.com</a>", 443, [{cacertfile, CaCertFile}, {verify,<br>
>>> verify_peer}, {depth, 99}]).<br>
>>> {ok,{sslsocket,{gen_tcp,#Port<<wbr>0.9355>,tls_connection,<br>
>>>                         undefined},<br>
>>>                <0.224.0>}}<br>
>>><br>
>>><br>
>>><br>
>>> It used to work with previous versions of Erlang, did something changed<br>
>>> in the validation in 20.x?<br>
>>><br>
>>> Also how can I check what is the exact issue in the certificate that<br>
>>> cause this error? According sslabs there are no issue in checking the<br>
>>> certificate:<br>
>>><br>
>>> <a href="https://www.ssllabs.com/ssltest/analyze.html?d=airbrake.io" rel="noreferrer" target="_blank">https://www.ssllabs.com/ssltes<wbr>t/analyze.html?d=airbrake.io</a><br>
>>><br>
>>><br>
>>> ______________________________<wbr>_________________<br>
>>> erlang-questions mailing list<br>
>>> <a href="mailto:erlang-questions@erlang.org" target="_blank">erlang-questions@erlang.org</a><br>
>>> <a href="http://erlang.org/mailman/listinfo/erlang-questions" rel="noreferrer" target="_blank">http://erlang.org/mailman/list<wbr>info/erlang-questions</a><br>
><br>
><br>
><br>
> --<br>
> Sent from my Mobile<br>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>