TLS Handshake Failure in Elixir/Erlang using Oauth2

4/26/2020

I am getting an error trying to use OAuth2 to communicate with Google's OpenID Connect service. The error looks like:

no case clause matching: {:error, %OAuth2.Error{reason: {:tls_alert, {:handshake_failure, 'TLS client: In state hello received SERVER ALERT: Fatal - Handshake Failure\n '}}}}

I am receiving this error from Erlang's Hackney library (or just SSL in OTP). I have found a few sources who seem to see similar problems:

https://elixirforum.com/t/oauth2-bad-cert-invalid-key-usage/14457/10

https://github.com/benoitc/hackney/pull/619

I am using Let's Encrypt to get the certificate. Finding it using Kubernetes Cluster Issuer. My yaml file looks like this:

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
 name: letsencrypt-production
 namespace: cert-manager
spec:
 acme:
   server: https://acme-v02.api.letsencrypt.org/directory
   email: fake@email.com
   privateKeySecretRef:
     name: letsencrypt-production
   solvers:
   - http01:
       ingress:
         class: "public" 

My mix.exs looks like the following:

defmodule ProviderApi.Mixfile do
  use Mix.Project

  def project do
    [
      app: :provider_api,
      version: "0.0.1",
      elixir: "~> 1.9.0",
      elixirc_paths: elixirc_paths(Mix.env()),
      compilers: [:phoenix, :gettext] ++ Mix.compilers(),
      build_embedded: Mix.env() == :prod,
      start_permanent: Mix.env() == :prod,
      # aliases: aliases(),
      deps: deps(),
      preferred_cli_env: [
        coveralls: :test,
        "coveralls.html": :test,
        "coveralls.json": :test
      ],
      test_coverage: [tool: ExCoveralls]
    ]
  end

  # Configuration for the OTP application.
  #
  # Type `mix help compile.app` for more information.
  def application do
    [
      mod: {ProviderApi, []},
      applications: [
        :phoenix,
        :phoenix_pubsub,
        :cowboy,
        :logger,
        :gettext,
        :phoenix_ecto,
        :postgrex,
        :ueberauth,
        :oauth,
        :ueberauth_google,
        :ecto_sql,
      ]
    ]
  end

  # Specifies which paths to compile per environment.
  defp elixirc_paths(:test), do: ["lib", "web", "test/support"]
  defp elixirc_paths(_), do: ["lib", "web"]

  # Specifies your project dependencies.
  #
  # Type `mix help deps` for examples and options.
  defp deps do
    [
      {:phoenix, "~> 1.4.0"},
      {:phoenix_pubsub, "~> 1.1"},
      {:phoenix_ecto, "~> 4.0"},
      {:postgrex, "~> 0.15.3"},
      {:gettext, "~> 0.13.1"},
      {:plug_cowboy, "~> 2.0"},
      {:plug, "~> 1.7"},
      {:cors_plug, "~> 1.3"},
      {:ecto_sql, "~> 3.4.1"},
      {:excoveralls, "~> 0.7.2", only: :test},
      # TODO remove when hooks are disossaciated
      {:neuron, "~> 0.7.0"},
      {:oauth, "~> 1.6", github: "tim/erlang-oauth"},
      {:ueberauth, "~> 0.6.0"},
      {:ueberauth_google, "~> 0.9"},
      {:ja_serializer, "~> 0.12.0"},
      {:guardian, "~> 1.2.1"},
      {:database_url, "~> 0.1"},
      {:hackney, github: "benoitc/hackney", override: true}
    ]
  end
end

Note I am using the latest hackney with {:hackney, github: "benoitc/hackney", override: true}.

Any help is appreciated.

EDIT. I just found im having the same issue trying to connect locally to google over localhost:4000 when I updated some dependencies in my mix.lock. So starting to think this may not be a TLS issue, it may have to do with connecting with ueberauth or ueberauth_google.

-- GTDev
elixir
kubernetes
lets-encrypt
otp
ssl

0 Answers