Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
tools:certificates [2024/01/17 14:43] – [Legacy] willtools:certificates [2025/04/25 16:42] (current) – [Terminal] will
Line 1: Line 1:
 ====== UPMC Certificates ====== ====== UPMC Certificates ======
 UPMC man in the middle's https traffic. UPMC man in the middle's https traffic.
-You might get the error+You might get the error on the terminal (from e.g. ''curl'')
 > SSLError(SSLCerVerificationError, '[SSL: CERTIFICATE_VERIFY_FAILED] certifiacte verify failed: self signed certificate in certificate chain > SSLError(SSLCerVerificationError, '[SSL: CERTIFICATE_VERIFY_FAILED] certifiacte verify failed: self signed certificate in certificate chain
 +
 +or this message in firefox
 +> Software is Preventing Firefox From Safely Connecting to This Site
 +===== Firefox =====
 +
 +Download [[http://upmccrl.upmc.com/CDP/UPMC-ROOT-CA.crt|UPMC-ROOT-CA.crt]] and import into Firefox like (instructions copied from [[https://docs.titanhq.com/en/3834-importing-ssl-certificate-in-mozilla-firefox.html|here]])
 +
 +  - top right hamberger menu
 +  - options
 +  - scroll to ''Privacy & Security'' 's ''Certificates'' Section
 +  - Click ''View Certificates...''
 +  - ''Authorities'' and ''Import''
 +
 +===== Terminal =====
 +for CLI and terminal programs, you can accept the certificate across the system.
  
 To allow UPMC's cert in the SSL chain on debian, run: To allow UPMC's cert in the SSL chain on debian, run:
 <code> <code>
-  # as root +# as root 
-  cd /usr/local/share/ca-certificates/ +[ $(id -u) -ne 0 ] && echo "with sudo" && exit 1 
-  cert_loc=http://upmccrl.upmc.com/CDP/ + 
-  for crt in UPMC-CA23 UPMC-CA20 UPMC-ROOT-CA; do +cd /usr/local/share/ca-certificates/ 
-     wget "$cert_loc/$crt.crt" -O "$crt.crt-der" +cert_loc=https://upmccrl.upmc.com/cdp 
-     # added 20230707 +# 20250313 - added "UPMC ROOT CA 2023" via Nathan Safran 
-     openssl x509 -in $crt.crt-der -out $crt.crt -outform PEM +for crt in UPMC-CA23 UPMC-CA20 UPMC-ROOT-CA "UPMC ROOT CA 2023"; do 
-  done +   ! wget "$cert_loc/$crt.crt" -O "$crt.crt-der" && echo "ERROR: cannot get '$crt'" && continue 
-  update-ca-certificates+   # added 20230707 
 +   openssl x509 -in "$crt.crt-der-out "$crt.crt-outform PEM 
 +done 
 +update-ca-certificates
 </code> </code>
  
Line 51: Line 69:
 pip install urllib3==1.26.12 pip install urllib3==1.26.12
 </code> </code>
 +
 +For python virtual enviornments, you may also want to manually append certificates to ''cacert.pem'' bundled with ''certifi''
 +<code>
 +pycert=$(python -c 'import certifi,os; print(os.readlink(os.path.dirname(certifi.__file__)+"/cacert.pem"))')
 +
 +cat $newcert_pem >> $pycert
 +</code>
 +
 +(Will note: ''cirtifi'' munged also useful for mitmproxy)