How to add a trusted certificate to HTTPPoison/hackney?

Question

When I try:

HTTPoison.get! "https://facebook.com"

I get:

** (HTTPoison.Error) {:tls_alert, 'unknown ca'}
[error] SSL: :certify: ssl_handshake.erl:1606:Fatal error: unknown ca

    (httpoison) lib/httpoison.ex:66: HTTPoison.request!/5

which is kind of expected since in my company I need to trust the firewall's certificate to get out.

I have trusted the certificate (.cer file) system wide, which is why wget doesn't give me ssl errors when accessing https URLs. But it seems that hackney/HTTPoison ignores this configuration.

How to I make HTTPoison/hackney recognize the certificate as a trusted certificate?

https://www.rabbitmq.com/ssl.html might set you on the right path. At the end of the day, HTTPoison wraps Hackney which uses the Erlang `:ssl` module for TLS. I'd venture a guess that passing the options as described in that document to the correct call in HTTPoison will do the trick (I'd test it myself but about to run out, sorry ;-)) — cdegroot, Oct 07 '16 at 21:58

score 6 · Answer 1 · answered Oct 12 '16 at 08:22

Cert file paths are being passed toHTTPoison options like this:

   defp add_certs do
          [                                                                                                                                        
            hackney: [ # :hackney options                                                                                                          
             ssl_options: [ # :ssl options                                                                                                         
               cacertfile: # CA certificate used to validate server cert; path(), "string" is ok                  
               certfile:  # client certificate, signed by CA; path(), "string" is ok                                 
               keyfile:  # private key for client.crt; path(). "string" is ok                                         
               password:  # password for keyfile; string(), "string" not ok, use 'char list'                                  
             ]                                                                                                                                     
           ]                                                                                                     
          ]
    end
    HTTPoison.post(url, request_xml, headers, add_certs)

score 5 · Answer 2 · answered Oct 11 '16 at 17:52

5

I recently ran into this issue as well. What worked for me was passing the location of the cert file directly to hackney as suggested by the dev in this ticket:

opts = [{:ssl_options, [{:cacertfile, "/<path to my cert>/MyCertificates.pem"}]}]
HTTPoison.post(login, headers, hackney: opts)

Alternatively you could perform the SSL connection without checking the certificate (more about request options here):

HTTPoison.post(login, headers, hackney: [:insecure])

answered Oct 11 '16 at 17:52

Keyan P

920
12
20

I got it to work, but that involved changing code of third party dependencies(ueberauth_facebook). Isn't there a global solution? – diogovk Oct 11 '16 at 18:29

How to add a trusted certificate to HTTPPoison/hackney?

2 Answers2