UPMC Certificates
UPMC man in the middle's https traffic.
You might get the error on the terminal (from e.g. curl
)
SSLError(SSLCerVerificationError, '[SSL: CERTIFICATE_VERIFY_FAILED] certifiacte verify failed: self signed certificate in certificate chain
or this message in firefox
Software is Preventing Firefox From Safely Connecting to This Site
Firefox
Download UPMC-ROOT-CA.crt and import into Firefox like (instructions copied from here)
- top right hamberger menu
- options
- scroll to
Privacy & Security
'sCertificates
Section - Click
View Certificates…
Authorities
andImport
Containers
For some docker and singularity containers, you can bind mount Rhea (linux server)'s certificates (allows UPMC root cert) to the containers. Additionally, for python tools using the request library (fmriprep, xcpd), set REQUESTS_CA_BUNDLE
to use those certs within python too (see python).
In docker, that looks like
docker run \ -v /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro \ -e REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt \ ...
Terminal
for CLI and terminal programs, you can accept the certificate across the system.
To allow UPMC's cert in the SSL chain on debian, run:
# as root [ $(id -u) -ne 0 ] && echo "with sudo" && exit 1 cd /usr/local/share/ca-certificates/ cert_loc=https://upmccrl.upmc.com/cdp # 20250313 - added "UPMC ROOT CA 2023" via Nathan Safran for crt in UPMC-CA23 UPMC-CA20 UPMC-ROOT-CA "UPMC ROOT CA 2023"; do ! wget "$cert_loc/$crt.crt" -O "$crt.crt-der" && echo "ERROR: cannot get '$crt'" && continue # added 20230707 openssl x509 -in "$crt.crt-der" -out "$crt.crt" -outform PEM done update-ca-certificates
Legacy
Newer (2023) ssl libraries packaged in debian are ahead of what UPMC's certs/network supports.
ss1.SSLError: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled
See https://stackoverflow.com/questions/71603314/ssl-error-unsafe-legacy-renegotiation-disabled
Downgrade security with a custom SSL config:
export OPENSSL_CONF="/opt/ni_tools/slacktheme_bot/openssl.conf"
where conf looks like
openssl_conf = openssl_init [openssl_init] ssl_conf = ssl_sect [ssl_sect] system_default = system_default_sect [system_default_sect] Options = UnsafeLegacyRenegotiation
Python
For python tools that internally use the requests
library (fmriprep, qsiprep, xcpd, TemplateFlow), we can force the python to use the system's certificates:
export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
venv/cirtifi
For python virtual environments, you may also want to manually append certificates to cacert.pem
bundled with certifi
pycert=$(python -c 'import certifi,os; print(os.readlink(os.path.dirname(certifi.__file__)+"/cacert.pem"))') cat $newcert_pem >> $pycert
(Will note: cirtifi
munged also useful for mitmproxy)
urllib
Newer urllib3
may also cause problems with legacy certs. (UNCONFIRMED 20240117)
pip install urllib3==1.26.12