Linux/Custom SSL Certificate: Difference between revisions
< Linux
(Created page with "== Man in the Middle SSL Firewall Snooping == If your work uses a Custom SSL Certificate for the firewall to inspect traffic, several Linux applications will encounter issues with this. == Check == Look for CN that is not google's: echo ":: Looking for Required Decryptor Cert..." curl -Ikv --max-time 10 https://www.google.com 2>&1 | grep "CN=decrypt.example.com" if [ $? -eq 0 ] ; then echo ":: Yes, Cert Required" else echo ":: No, Cert Not Required" fi...") |
(→Pip) |
||
| Line 76: | Line 76: | ||
cp /etc/pip.conf /etc/pip.conf.bak | cp /etc/pip.conf /etc/pip.conf.bak | ||
<pre> | |||
cat > /etc/pip.conf << "EOF" | cat > /etc/pip.conf << "EOF" | ||
[global] | [global] | ||
| Line 82: | Line 83: | ||
cert = /etc/ssl/certs/ca-certificates.crt | cert = /etc/ssl/certs/ca-certificates.crt | ||
EOF | EOF | ||
</pre> | |||
== Snap == | == Snap == | ||
Revision as of 23:31, 18 June 2025
Man in the Middle SSL Firewall Snooping
If your work uses a Custom SSL Certificate for the firewall to inspect traffic, several Linux applications will encounter issues with this.
Check
Look for CN that is not google's:
echo ":: Looking for Required Decryptor Cert..." curl -Ikv --max-time 10 https://www.google.com 2>&1 | grep "CN=decrypt.example.com" if [ $? -eq 0 ] ; then echo ":: Yes, Cert Required" else echo ":: No, Cert Not Required" fi
Normal Google: (notice issuer line)
* Server certificate: * subject: CN=www.google.com * start date: May 19 08:43:37 2025 GMT * expire date: Aug 11 08:43:36 2025 GMT * subjectAltName: host "www.google.com" matched cert's "www.google.com" * issuer: C=US; O=Google Trust Services; CN=WR2 * SSL certificate verify ok.
Example Man in the middle SSL: (notice issuer line)
* Server certificate: * subject: CN=www.google.com * start date: May 19 08:43:37 2025 GMT * expire date: Aug 11 08:43:36 2025 GMT * subjectAltName: host "www.google.com" matched cert's "www.google.com" * issuer: C=US; O=Example Company; CN=decrypt.example.com * SSL certificate verify ok.
General
curl, get, etc
Most tools like curl, wget, etc will use the system SSL store, so import:
Debian
sudo curl -s http://internal.example.com/install/cert/cert_CUSTOM_CA.crt -o /usr/local/share/ca-certificates/cert_CUSTOM_CA.crt sudo update-ca-certificates
Redhat
curl -s http://internal.example.com/install/cert/cert_CUSTOM_CA.crt -o /etc/pki/ca-trust/source/anchors/cert_CUSTOM_CA.crt sudo update-ca-trust
Python
Have python libraries use
echo 'export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt' >> $HOME/.bashrc echo 'export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt' >> $HOME/.bashrc
touch /etc/environment echo 'REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt' >> /etc/environment echo 'CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt' >> /etc/environment
CA=$(python3 -c 'import ssl;print(ssl.get_default_verify_paths().openssl_cafile)') if [ ! -e $CA ] ; then ln -s /etc/ssl/certs/ca-certificates.crt $CA fi
Pip
If your PIP repo is being mirrored internally, but something like Artifactory, and blocked by the firewall:
cp /etc/pip.conf /etc/pip.conf.bak
cat > /etc/pip.conf << "EOF" [global] index-url = https://artifactory.example.com/artifactory/api/pypi/pypi-remote/sim ple/ cert = /etc/ssl/certs/ca-certificates.crt EOF
Snap
Configure Snap: [1]
snap set system store-certs.cert1="$(cat /path/to/mycert)"
Example:
curl -s https://internal.example.com/install/cert/cert_CUSTOM_CA.crt -o /etc/ssl/cert_CUSTOM_CA.crt snap set system store-certs.cert1="`cat /etc/ssl/cert_CUSTOM_CA.crt
Remove with:
snap unset system store-certs.cert1
Firefox
Certificate Management in Firefox https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/system-level_authentication_guide/using_the_certificates_on_the_token_for_ssl_