====== UPMC Certificates ======
UPMC man in the middle's https traffic.
You might get the error on the terminal (from e.g. ''curl'')
> SSLError(SSLCerVerificationError, '[SSL: CERTIFICATE_VERIFY_FAILED] certifiacte verify failed: self signed certificate in certificate chain

or this message in firefox
> Software is Preventing Firefox From Safely Connecting to This Site
===== Firefox =====

Download [[http://upmccrl.upmc.com/CDP/UPMC-ROOT-CA.crt|UPMC-ROOT-CA.crt]] and import into Firefox like (instructions copied from [[https://docs.titanhq.com/en/3834-importing-ssl-certificate-in-mozilla-firefox.html|here]])

  - top right hamberger menu
  - options
  - scroll to ''Privacy & Security'' 's ''Certificates'' Section
  - Click ''View Certificates...''
  - ''Authorities'' and ''Import''

===== Containers =====

For some docker and singularity containers, you can bind mount [[:admin:it:rhea]]'s certificates (allows UPMC root cert) to the containers. Additionally, for python tools using the request library ([[:tools:fmriprep]], [[:tools:xcpd]]), set ''REQUESTS_CA_BUNDLE'' to use those certs within python too (see [[#python]]).

In docker, that looks like
<code=bash>
docker run \
 -v /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro \
 -e REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt \
 ...
</code> 


===== Terminal =====
for CLI and terminal programs, you can accept the certificate across the system.

To allow UPMC's cert in the SSL chain on debian, run:
<code>
# as root
[ $(id -u) -ne 0 ] && echo "with sudo" && exit 1

cd /usr/local/share/ca-certificates/
cert_loc=https://upmccrl.upmc.com/cdp
# 20250313 - added "UPMC ROOT CA 2023" via Nathan Safran
for crt in UPMC-CA23 UPMC-CA20 UPMC-ROOT-CA "UPMC ROOT CA 2023"; do
   ! wget "$cert_loc/$crt.crt" -O "$crt.crt-der" && echo "ERROR: cannot get '$crt'" && continue
   # added 20230707
   openssl x509 -in "$crt.crt-der" -out "$crt.crt" -outform PEM
done
update-ca-certificates
</code>

===== Legacy =====

Newer (2023) ssl libraries packaged in debian are ahead of what UPMC's certs/network supports.

> ss1.SSLError: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled

See https://stackoverflow.com/questions/71603314/ssl-error-unsafe-legacy-renegotiation-disabled

Downgrade security with a custom SSL config:

<code>
export OPENSSL_CONF="/opt/ni_tools/slacktheme_bot/openssl.conf"
</code>

where conf looks like
<code>
openssl_conf = openssl_init

[openssl_init]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
Options = UnsafeLegacyRenegotiation
</code>

==== Python ====

For python tools that internally use the ''requests'' library ([[:tools:fmriprep]], [[:tools:qsiprep]], [[:tools:xcpd]], [[:tools:templateflow]]), we can force the python to use the system's certificates:
<code>
export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
</code>


=== venv/cirtifi ===
For python virtual environments, you may also want to manually append certificates to ''cacert.pem'' bundled with ''certifi''
<code>
pycert=$(python -c 'import certifi,os; print(os.readlink(os.path.dirname(certifi.__file__)+"/cacert.pem"))')

cat $newcert_pem >> $pycert
</code>

(Will note: ''cirtifi'' munged also useful for [[:tools:mitmproxy]])

=== urllib ===

Newer ''urllib3'' may also cause problems with legacy certs. (UNCONFIRMED 20240117)
<code>
pip install urllib3==1.26.12
</code>