[erlang-questions] SSL: "unknown ca"

Fri Jan 30 21:37:51 CET 2015

On 01/30/2015 09:18 PM, Ingela Andin wrote:
> Hi!
> 2015-01-30 19:25 GMT+01:00 e@REDACTED <e@REDACTED>:
>> Hi, all.
>> SSL: certify: ssl_alert.erl:92:Fatal error: unknown ca
>> I know this issue generates thousands of "hits" in google-search
>> yet google does not reveal a consistent explanation (not a recipe!)
>> first of all: Unknown TO WHOM???
> To the client or server trying to verify its peer certificate.

since the error appears on the server side,
may i deduce that the server (Erlang's ssl application)
is trying to verify the client (a browser)?

in this case i want to know how to disable this feature.
(i only need to verify the server by the client)

>> secondly: What CA will be considered known?
> The  root CA must be present in the verifiers CA database (cacertfile or
> corresponding option for that client/server).

my 'cacertfile' (as given to the 'ssl' application) contains one and 
only one certificate which is self-signed.

>> what properties of CA are required?
>> may we assume that "CA" and "a certificate file" are synonyms in the
>> current context? otherwise, what is CA and how is it represented?

> Certificates and CA certificates are defined in RFC 5280. The are defined
> by as ASN-1 specifications and can normaly be inputed as ASN-1 DER (binary
> format) or
> as a PEM file (a text file representaion of the "DER-blob").

I was asking something else.
When 'ssl' application complains about a "CA" does it mean a 
corresponding certfile that represents a CA or something else?
(Does it consider any other data sources besides those files provided by 

>> My config is:
>> {cacertfile, Dir ++ "ca.crt"}   % self-signed
>> {certfile, Dir ++ "server.crt"} % signed by ca.crt
>> {keyfile, Dir ++ "server.key"}
>> % no other options are explicitly specified
> This is only the options of the server.

but the error appears on the server not on the client

> The client needs to have the ca.crt
> in its configuration to be able
> to verify the servers cert.

how to ensure that both certificates are available (or transferred) to a 
isn't it implicitly implemented by 'ssl' application?
if not, then the bigger problems arise, such as "how client knows where 
to look for a missing cert?"

More information about the erlang-questions mailing list