[erlang-questions] SSL: "unknown ca"

Ingela Andin ingela.andin@REDACTED
Fri Jan 30 21:18:02 CET 2015


2015-01-30 19:25 GMT+01:00 e@REDACTED <e@REDACTED>:

> Hi, all.
> SSL: certify: ssl_alert.erl:92:Fatal error: unknown ca
> I know this issue generates thousands of "hits" in google-search
> yet google does not reveal a consistent explanation (not a recipe!)
> first of all: Unknown TO WHOM???

To the client or server trying to verify its peer certificate.

> secondly: What CA will be considered known?
The  root CA must be present in the verifiers CA database (cacertfile or
corresponding option for that client/server).

> what properties of CA are required?
> may we assume that "CA" and "a certificate file" are synonyms in the
> current context? otherwise, what is CA and how is it represented?
Certificates and CA certificates are defined in RFC 5280. The are defined
by as ASN-1 specifications and can normaly be inputed as ASN-1 DER (binary
format) or
as a PEM file (a text file representaion of the "DER-blob").

> and last but not least: Might be this error induced by some lower-level
> reason, unrelated to "CA familiarity", for example unacceptable certificate
> format?
That would result in a diffrent error.

> My config is:
> {cacertfile, Dir ++ "ca.crt"}   % self-signed
> {certfile, Dir ++ "server.crt"} % signed by ca.crt
> {keyfile, Dir ++ "server.key"}
> % no other options are explicitly specified
This is only the options of the server. The client needs to have the ca.crt
in its configuration to be able
to verify the servers cert.

Regards Ingela  Erlang/OTP team - Ericsson AB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20150130/30fd60d0/attachment.htm>

More information about the erlang-questions mailing list