Differences

This shows you the differences between two versions of the page.

--- tools:certificates [2024/01/17 14:43] – [Legacy] will
+++ tools:certificates [2025/10/10 14:23] (current) – [Firefox] will
@@ Line 1: / Line 1: @@
 ====== UPMC Certificates ======
 UPMC man in the middle's https traffic.
-You might get the error
+You might get the error on the terminal (from e.g. ''curl'')
 > SSLError(SSLCerVerificationError, '[SSL: CERTIFICATE_VERIFY_FAILED] certifiacte verify failed: self signed certificate in certificate chain
+or this message in firefox
+> Software is Preventing Firefox From Safely Connecting to This Site
+===== Firefox =====
+Download [[http://upmccrl.upmc.com/CDP/UPMC-ROOT-CA.crt|UPMC-ROOT-CA.crt]] and [[https://upmccrl.upmc.com/cdp/UPMC Root CA 2023.crt|UPMC Root CA 2023.crt]]. Import both into Firefox like (instructions copied from [[https://docs.titanhq.com/en/3834-importing-ssl-certificate-in-mozilla-firefox.html|here]])
+  - top right hamburger menu
+  - options
+  - scroll to ''Privacy & Security'' 's ''Certificates'' Section
+  - Click ''View Certificates...''
+  - ''Authorities'' and ''Import''
+===== Containers =====
+For some docker and singularity containers, you can bind mount [[:admin:it:rhea]]'s certificates (allows UPMC root cert) to the containers. Additionally, for python tools using the request library ([[:tools:fmriprep]], [[:tools:xcpd]]), set ''REQUESTS_CA_BUNDLE'' to use those certs within python too (see [[#python]]).
+In docker, that looks like
+<code=bash>
+docker run \
+ -v /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro \
+ -e REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt \
+ ...
+</code>
+===== Terminal =====
+for CLI and terminal programs, you can accept the certificate across the system.
 To allow UPMC's cert in the SSL chain on debian, run:
 <code>
-  # as root
+# as root
-  cd /usr/local/share/ca-certificates/
+[ $(id -u) -ne 0 ] && echo "with sudo" && exit 1
-  cert_loc=http://upmccrl.upmc.com/CDP/
-  for crt in UPMC-CA23 UPMC-CA20 UPMC-ROOT-CA; do
+cd /usr/local/share/ca-certificates/
-     wget "$cert_loc/$crt.crt" -O "$crt.crt-der"
+cert_loc=https://upmccrl.upmc.com/cdp
-     # added 20230707
+# 20250313 - added "UPMC ROOT CA 2023" via Nathan Safran
-     openssl x509 -in $crt.crt-der -out $crt.crt -outform PEM
+for crt in UPMC-CA23 UPMC-CA20 UPMC-ROOT-CA "UPMC ROOT CA 2023"; do
-  done
+   ! wget "$cert_loc/$crt.crt" -O "$crt.crt-der" && echo "ERROR: cannot get '$crt'" && continue
-  update-ca-certificates
+   # added 20230707
+   openssl x509 -in "$crt.crt-der" -out "$crt.crt" -outform PEM
+done
+update-ca-certificates
 </code>
@@ Line 47: / Line 78: @@
 ==== Python ====
-newer ''urllib3'' may also cause problems with legacy certs. (UNCONFIRMED 20240117)
+For python tools that internally use the ''requests'' library ([[:tools:fmriprep]], [[:tools:qsiprep]], [[:tools:xcpd]], [[:tools:templateflow]]), we can force the python to use the system's certificates:
+<code>
+export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
+</code>
+=== venv/cirtifi ===
+For python virtual environments, you may also want to manually append certificates to ''cacert.pem'' bundled with ''certifi''
+<code>
+pycert=$(python -c 'import certifi,os; print(os.readlink(os.path.dirname(certifi.__file__)+"/cacert.pem"))')
+cat $newcert_pem >> $pycert
+</code>
+(Will note: ''cirtifi'' munged also useful for [[:tools:mitmproxy]])
+=== urllib ===
+Newer ''urllib3'' may also cause problems with legacy certs. (UNCONFIRMED 20240117)
 <code>
 pip install urllib3==1.26.12
 </code>