Linux/Custom SSL Certificate: Difference between revisions
< Linux
(→Pip) |
|||
| Line 72: | Line 72: | ||
== Pip == | == Pip == | ||
Point PIP to use the system certificate store: | |||
cp /etc/pip.conf /etc/pip.conf.bak | cp /etc/pip.conf /etc/pip.conf.bak | ||
/etc/pip.conf | |||
cert = /etc/ssl/certs/ca-certificates.crt | |||
- | |||
If your PIP repo is being mirrored internally, but something like Artifactory, and blocked by the firewall: | |||
<pre> | <pre> | ||
cat > /etc/pip.conf << "EOF" | cat > /etc/pip.conf << "EOF" | ||
Latest revision as of 23:33, 18 June 2025
Man in the Middle SSL Firewall Snooping
If your work uses a Custom SSL Certificate for the firewall to inspect traffic, several Linux applications will encounter issues with this.
Check
Look for CN that is not google's:
echo ":: Looking for Required Decryptor Cert..." curl -Ikv --max-time 10 https://www.google.com 2>&1 | grep "CN=decrypt.example.com" if [ $? -eq 0 ] ; then echo ":: Yes, Cert Required" else echo ":: No, Cert Not Required" fi
Normal Google: (notice issuer line)
* Server certificate: * subject: CN=www.google.com * start date: May 19 08:43:37 2025 GMT * expire date: Aug 11 08:43:36 2025 GMT * subjectAltName: host "www.google.com" matched cert's "www.google.com" * issuer: C=US; O=Google Trust Services; CN=WR2 * SSL certificate verify ok.
Example Man in the middle SSL: (notice issuer line)
* Server certificate: * subject: CN=www.google.com * start date: May 19 08:43:37 2025 GMT * expire date: Aug 11 08:43:36 2025 GMT * subjectAltName: host "www.google.com" matched cert's "www.google.com" * issuer: C=US; O=Example Company; CN=decrypt.example.com * SSL certificate verify ok.
General
curl, get, etc
Most tools like curl, wget, etc will use the system SSL store, so import:
Debian
sudo curl -s http://internal.example.com/install/cert/cert_CUSTOM_CA.crt -o /usr/local/share/ca-certificates/cert_CUSTOM_CA.crt sudo update-ca-certificates
Redhat
curl -s http://internal.example.com/install/cert/cert_CUSTOM_CA.crt -o /etc/pki/ca-trust/source/anchors/cert_CUSTOM_CA.crt sudo update-ca-trust
Python
Have python libraries use
echo 'export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt' >> $HOME/.bashrc echo 'export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt' >> $HOME/.bashrc
touch /etc/environment echo 'REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt' >> /etc/environment echo 'CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt' >> /etc/environment
CA=$(python3 -c 'import ssl;print(ssl.get_default_verify_paths().openssl_cafile)') if [ ! -e $CA ] ; then ln -s /etc/ssl/certs/ca-certificates.crt $CA fi
Pip
Point PIP to use the system certificate store:
cp /etc/pip.conf /etc/pip.conf.bak
/etc/pip.conf cert = /etc/ssl/certs/ca-certificates.crt
-
If your PIP repo is being mirrored internally, but something like Artifactory, and blocked by the firewall:
cat > /etc/pip.conf << "EOF" [global] index-url = https://artifactory.example.com/artifactory/api/pypi/pypi-remote/sim ple/ cert = /etc/ssl/certs/ca-certificates.crt EOF
Snap
Configure Snap: [1]
snap set system store-certs.cert1="$(cat /path/to/mycert)"
Example:
curl -s https://internal.example.com/install/cert/cert_CUSTOM_CA.crt -o /etc/ssl/cert_CUSTOM_CA.crt snap set system store-certs.cert1="`cat /etc/ssl/cert_CUSTOM_CA.crt
Remove with:
snap unset system store-certs.cert1
Firefox
Certificate Management in Firefox https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/system-level_authentication_guide/using_the_certificates_on_the_token_for_ssl_
Set up Certificate Authorities (CAs) in Firefox - Linux https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox#w_linux