UPMC Certificates

UPMC man in the middle's https traffic. You might get the error on the terminal (from e.g. curl)

SSLError(SSLCerVerificationError, '[SSL: CERTIFICATE_VERIFY_FAILED] certifiacte verify failed: self signed certificate in certificate chain

or this message in firefox

Software is Preventing Firefox From Safely Connecting to This Site

Firefox

Download UPMC-ROOT-CA.crt and import into Firefox like (instructions copied from here)

  1. top right hamberger menu
  2. options
  3. scroll to Privacy & Security 's Certificates Section
  4. Click View Certificates…
  5. Authorities and Import

Containers

For some docker and singularity containers, you can bind mount Rhea (linux server)'s certificates (allows UPMC root cert) to the containers. Additionally, for python tools using the request library (fmriprep, xcpd), set REQUESTS_CA_BUNDLE to use those certs within python too (see python).

In docker, that looks like 

docker run \
 -v /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro \
 -e REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt \
 ...

Terminal

for CLI and terminal programs, you can accept the certificate across the system.

To allow UPMC's cert in the SSL chain on debian, run: 

# as root
[ $(id -u) -ne 0 ] && echo "with sudo" && exit 1

cd /usr/local/share/ca-certificates/
cert_loc=https://upmccrl.upmc.com/cdp
# 20250313 - added "UPMC ROOT CA 2023" via Nathan Safran
for crt in UPMC-CA23 UPMC-CA20 UPMC-ROOT-CA "UPMC ROOT CA 2023"; do
   ! wget "$cert_loc/$crt.crt" -O "$crt.crt-der" && echo "ERROR: cannot get '$crt'" && continue
   # added 20230707
   openssl x509 -in "$crt.crt-der" -out "$crt.crt" -outform PEM
done
update-ca-certificates

Legacy

Newer (2023) ssl libraries packaged in debian are ahead of what UPMC's certs/network supports.

ss1.SSLError: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled

See https://stackoverflow.com/questions/71603314/ssl-error-unsafe-legacy-renegotiation-disabled

Downgrade security with a custom SSL config: 

export OPENSSL_CONF="/opt/ni_tools/slacktheme_bot/openssl.conf"

where conf looks like 

openssl_conf = openssl_init

[openssl_init]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
Options = UnsafeLegacyRenegotiation

Python

For python tools that internally use the requests library (fmriprep, qsiprep, xcpd, TemplateFlow), we can force the python to use the system's certificates: 

export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt

venv/cirtifi

For python virtual environments, you may also want to manually append certificates to cacert.pem bundled with certifi 

pycert=$(python -c 'import certifi,os; print(os.readlink(os.path.dirname(certifi.__file__)+"/cacert.pem"))')

cat $newcert_pem >> $pycert

(Will note: cirtifi munged also useful for mitmproxy)

urllib

Newer urllib3 may also cause problems with legacy certs. (UNCONFIRMED 20240117) 

pip install urllib3==1.26.12