10 months ago
I followed the steps outlined here at https://docs.railway.com/guides/phoenix and used the CLI option. I get this error when the deployment starts (build goes through fine).
"message": "06:08:48.784 [notice] TLS :client: In state :wait_cert at ssl_handshake.erl:2111 generated CLIENT ALERT: Fatal - Unknown CA",
"attributes": {
"level": "info"
},
"tags": {
"project": "86542224-1ac8-4033-86d0-14c44b1fbec3",
"environment": "2a72c8e6-e1a1-4b57-8582-158f25d80d05",
"service": "b46f8751-ac6f-4254-a3db-b384fe949290",
"deployment": "b4bf688d-3b8e-4ca5-9f26-93e8cb507624",
"replica": "5ae8af73-729a-473f-86d5-3a895e497f4e"
},
"timestamp": "2025-09-10T06:08:49.167427488Z"
}
can you please tell me know what is wrong?
4 Replies
10 months ago
any ideas/hints to help me move forward please?
10 months ago
It looks like your app is failing on TLS handshake because the Erlang runtime doesn’t trust the certificate authority (CA) it’s seeing.
What could be happening:
By default, Phoenix/Erlang apps need access to a system CA bundle to validate HTTPS connections (ex: when your app connects to external APIs or Postgres over SSL).
On Railway, if the CA certificates package isn’t present in your environment, Erlang/OTP can’t find the trusted root certificates > handshake fails with Unknown CA.
I am going to assume you're using Nixpacks, so on Railway I would add cacert to your build. Update your nixpacks.toml like this:
[phases.setup]
nixPkgs = ["erlang", "elixir", "cacert"]Also, make sure the config name is "Phases" (plural) and not "Phase". I had seen this issue in a past thread.
This installs the trusted root certificates so Erlang can complete the TLS handshake. After redeploying, the Unknown CA error should disappear.
10 months ago
Thank you for your help and sorry for the delay in getting back. I was checking this thread for a few days but then stopped checking and I don't get any notifications.
I updated the nixpacks.toml by adding the phases.setup there. and then ran 'railway up' and got this error:
error: Unable to build profile. There is a conflict for the following files:
/nix/store/y2zh06pccwcvz43xwgd8mr8pbqflkqww-nss-cacert-3.107/etc/ssl/certs/ca-bundle.crt
/nix/store/zw290ir9xdzlhf385ywm3a5ss08d0fgp-c5702bd28cbde41a191a9c2a00501f18941efbd0-env/etc/ssl/certs/ca-bundle.crt
error: builder for '/nix/store/r77h2h222hmj1annpir4099pzvwvc5ch-user-environment.drv' failed with exit code 1
Also I did not understand what you meant by "make sure the config name is "Phases" (plural) and not "Phase"." I just copied and pasted the exact contents into the toml and redeployed.
I searched both prod.exs and runtime.exs and the HTTPs config is commented out and the only reference to https I see is this line:
url: [host: host, port: 443, scheme: "https"],
I don't have any outbound HTTP calls.
I checked my shared variables and I have 3 - SECRET_KEY_BASE, LC and LANG and I do not have PHX_HOST and MIX_ENV - I tried to follow the steps mentioned in the docs and I did not see these variables. where should I set them? Please help.