Unable to run mix local.hex and mix local.rebar

hello,

TL;DR:

depending on OS you are using, you can try procedure of adding CA certs to your global trust store.

certs can be found here: Chains of Trust - Let's Encrypt.

please, be careful when doing such changes with a link from a random person from the internet, crosscheck it with someone else :wink:

longer story…

i think you are missing Let’s Encrypt root CA certs in your OS, or they are not being globally used by TLS clients (for example, because of custom/broken openssl.cnf file).

this indicates TLS client is not able to build full chain of trust.
and indeed mix hex.config unsafe_https true doesn’t seem to be disabling CA chain of trust validation, it probably only targets service certificate validation itself (most likely against its expiration date or CN field of its subject, etc.).

i reproduced this issue:

** (Mix) httpc request failed with: {:failed_connect, [{:to_address, {~c"builds.hex.pm", 443}}, {:inet, [:inet], {:tls_alert, {:unknown_ca, ~c"TLS client: In state wait_cert_cr at ssl_handshake.erl:2174 generated CLIENT ALERT: Fatal - Unknown CA\n"}}}]}

Could not install Hex because Mix could not download metadata at https://builds.hex.pm/installs/hex-1.x.csv.

Alternatively, you can compile and install Hex directly with this command:

    $ mix archive.install github hexpm/hex branch latest

… by removing from my OSes trust store two certs:

  • ISRG_Root_X1
  • ISRG_Root_X2

re-adding them, fixes issue.

you can get more info about expected chain of trust using openssl s_client -connect builds.hex.pm:443 or other TLS clients with decent debug options.

one thing which is not adding up is the fact curl works fine for you… that would hint your Erlang/OTP/Elixir is not using same trust store as curl does.