UPMC Certificates
UPMC man in the middle's https traffic.
You might get the error on the terminal (from e.g. curl)
SSLError(SSLCerVerificationError, '[SSL: CERTIFICATE_VERIFY_FAILED] certifiacte verify failed: self signed certificate in certificate chain
or this message in firefox
Software is Preventing Firefox From Safely Connecting to This Site
Firefox
Download UPMC-ROOT-CA.crt and import into Firefox like (instructions copied from here)
- top right hamberger menu
- options
- scroll to
Privacy & Security'sCertificatesSection - Click
View Certificates… AuthoritiesandImport
Terminal
for CLI and terminal programs, you can accept the certificate across the system.
To allow UPMC's cert in the SSL chain on debian, run:
# as root
cd /usr/local/share/ca-certificates/
cert_loc=http://upmccrl.upmc.com/CDP/
for crt in UPMC-CA23 UPMC-CA20 UPMC-ROOT-CA; do
wget "$cert_loc/$crt.crt" -O "$crt.crt-der"
# added 20230707
openssl x509 -in $crt.crt-der -out $crt.crt -outform PEM
done
update-ca-certificates
Legacy
Newer (2023) ssl libraries packaged in debian are ahead of what UPMC's certs/network supports.
ss1.SSLError: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled
See https://stackoverflow.com/questions/71603314/ssl-error-unsafe-legacy-renegotiation-disabled
Downgrade security with a custom SSL config:
export OPENSSL_CONF="/opt/ni_tools/slacktheme_bot/openssl.conf"
where conf looks like
openssl_conf = openssl_init [openssl_init] ssl_conf = ssl_sect [ssl_sect] system_default = system_default_sect [system_default_sect] Options = UnsafeLegacyRenegotiation
Python
newer urllib3 may also cause problems with legacy certs. (UNCONFIRMED 20240117)
pip install urllib3==1.26.12
For python virtual enviornments, you may also want to manually append certificates to cacert.pem bundled with certifi
pycert=$(python -c 'import certifi,os; print(os.readlink(os.path.dirname(certifi.__file__)+"/cacert.pem"))') cat $newcert_pem >> $pycert
(Will note: cirtifi munged also useful for mitmproxy)