[opensuse] Self signed certificate
I'm behind a firewall with a self signed certificate (a *.cer file). Zypper (curl) complains: Error code: Curl error 60 Error message: SSL certificate problem: self signed certificate in certificate chain Where do I have to put it in the filesystem or must it be imported in some way? Thanks Hermann-Josef Beckers -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 25/03/2019 14.16, Hermann-Josef Beckers wrote:
I'm behind a firewall with a self signed certificate (a *.cer file). Zypper (curl) complains:
Error code: Curl error 60 Error message: SSL certificate problem: self signed certificate in certificate chain
Where do I have to put it in the filesystem or must it be imported in some way?
I don't see the relation between your own certificate and zypper. Zypper can only complain about certificates of repos. -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)
-----Original Message----- From: Carlos E. R. <robin.listas@telefonica.net> Sent: Monday, March 25, 2019 2:28 PM To: oS-en <opensuse@opensuse.org> Subject: Re: [opensuse] Self signed certificate [>] ... [>] > [>]
I don't see the relation between your own certificate and zypper. Zypper can only >complain about certificates of repos.
[>] Wget is more verbose: wget --no-check-certificate https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-opensuse/* Warning: wildcards not supported in HTTP. --2019-03-25 14:43:48-- https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-opensuse/* Connecting to 10.X.Y.Z:3128... connected. WARNING: cannot verify www.collaboraoffice.com's certificate, issued by ‘CN=mwg.MYGATEWAY.lokal,C=DE,ST=NRW,L=Steinfurt,O=Kreis Steinfurt’: Self-signed certificate encountered. I doubt that collaboraoffice.com is self signed. Seems the (perhaps not) self signed certificate of my gateway must be inserted somewhere into the chain of trust?
On 25/03/2019 14.54, Hermann-Josef Beckers wrote:
[>] ... [>] > [>]
I don't see the relation between your own certificate and zypper. Zypper can only >complain about certificates of repos.
[>]
Wget is more verbose:
wget --no-check-certificate https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-opensuse/* Warning: wildcards not supported in HTTP. --2019-03-25 14:43:48-- https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-opensuse/* Connecting to 10.X.Y.Z:3128... connected. WARNING: cannot verify www.collaboraoffice.com's certificate, issued by ‘CN=mwg.MYGATEWAY.lokal,C=DE,ST=NRW,L=Steinfurt,O=Kreis Steinfurt’: Self-signed certificate encountered.
I doubt that collaboraoffice.com is self signed. Seems the (perhaps not) self signed certificate of my gateway must be inserted somewhere into the chain of trust?
I doubt that very much. Can't be, the certificate of the site has to be chained to its own certificate authority, defined on the certificate itself. Unless there is some name collision :-? Anyway, I can not replicate: cer@Telcontar:~/tmp/hjb> wget https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-opensuse/* Warning: wildcards not supported in HTTP. --2019-03-25 14:58:59-- https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-opensuse/* Resolving www.collaboraoffice.com (www.collaboraoffice.com)... 46.235.227.219, 2a00:1098:0:82:1000:25:2eeb:e3db Connecting to www.collaboraoffice.com (www.collaboraoffice.com)|46.235.227.219|:443... connected. HTTP request sent, awaiting response... 404 Not Found 2019-03-25 14:58:59 ERROR 404: Not Found. cer@Telcontar:~/tmp/hjb> It seems for you the connection is intranet, though, so maybe the site is not available for me. CN=mwg.MYGATEWAY.lokal -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)
On Mon, Mar 25, 2019 at 4:54 PM Hermann-Josef Beckers <Hermann-Josef.Beckers@kreis-steinfurt.de> wrote:
wget --no-check-certificate https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-opensuse/* Warning: wildcards not supported in HTTP. --2019-03-25 14:43:48-- https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-opensuse/* Connecting to 10.X.Y.Z:3128... connected.
It is always amusing to see people hiding private addresses.
WARNING: cannot verify www.collaboraoffice.com's certificate, issued by ‘CN=mwg.MYGATEWAY.lokal,C=DE,ST=NRW,L=Steinfurt,O=Kreis Steinfurt’: Self-signed certificate encountered.
I doubt that collaboraoffice.com is self signed.
You apparently have intercepting proxy that terminates SSL stream so it has access to unencrypted data. Such gateways then establish new SSL connection to final destination. Is it proxy under your control?
Seems the (perhaps not) self signed certificate of my gateway must be inserted somewhere into the chain of trust?
Fortunately it is impossible - you cannot have single certificate that will match every other host name, so on next step certificate validation will fail because certificate host name will not match final host name. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----Original Message----- From: Andrei Borzenkov <arvidjaar@gmail.com> Sent: Monday, March 25, 2019 3:25 PM To: Hermann-Josef Beckers <Hermann-Josef.Beckers@kreis-steinfurt.de> Cc: oS-en <opensuse@opensuse.org> Subject: Re: [opensuse] Self signed certificate On Mon, Mar 25, 2019 at 4:54 PM Hermann-Josef Beckers <Hermann-Josef.Beckers@kreis-steinfurt.de> wrote: [>] ...
You apparently have intercepting proxy that terminates SSL stream so it has access to unencrypted data. Such gateways then establish new SSL connection to final destination. Is it proxy under your control?
... Not me personally, but by our network admins.
On Mon, Mar 25, 2019 at 5:31 PM Hermann-Josef Beckers <Hermann-Josef.Beckers@kreis-steinfurt.de> wrote:
-----Original Message----- From: Andrei Borzenkov <arvidjaar@gmail.com> Sent: Monday, March 25, 2019 3:25 PM To: Hermann-Josef Beckers <Hermann-Josef.Beckers@kreis-steinfurt.de> Cc: oS-en <opensuse@opensuse.org> Subject: Re: [opensuse] Self signed certificate
On Mon, Mar 25, 2019 at 4:54 PM Hermann-Josef Beckers <Hermann-Josef.Beckers@kreis-steinfurt.de> wrote: [>] ...
You apparently have intercepting proxy that terminates SSL stream so it has access to unencrypted data. Such gateways then establish new SSL connection to final destination. Is it proxy under your control?
...
Not me personally, but by our network admins.
Well, you need to contact your admins then and ask them. If it is intentional and required by your site policy, there is not much you can do except ignoring certificate validation errors. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----Original Message----- From: Andrei Borzenkov <arvidjaar@gmail.com> Sent: Monday, March 25, 2019 3:45 PM To: Hermann-Josef Beckers <Hermann-Josef.Beckers@kreis-steinfurt.de> Cc: oS-en <opensuse@opensuse.org> Subject: Re: [opensuse] Self signed certificate ...
You apparently have intercepting proxy that terminates SSL stream so it has access to unencrypted data. Such gateways then establish new SSL connection to final destination. Is it proxy under your control?
...
Not me personally, but by our network admins.
Well, you need to contact your admins then and ask them. If it is intentional and required by your site policy, there is not much you can do except ignoring certificate validation errors.
I did that and they advise me to use the already mentioned *.cer file. "The server must trust this certificate". I'm back to the question: how do i do that? Which tool must I use? Thank you Hermann-Josef N�����r��y隊Z)z{.�ﮞ˛���m�)z{.��+�: �{Zr�az�'z��j)h���Ǿ� ޮ�^�ˬz��
On 25/03/2019 16.04, Hermann-Josef Beckers wrote:
...
You apparently have intercepting proxy that terminates SSL stream so it has access to unencrypted data. Such gateways then establish new SSL connection to final destination. Is it proxy under your control?
...
Not me personally, but by our network admins.
Well, you need to contact your admins then and ask them. If it is intentional and required by your site policy, there is not much you can do except ignoring certificate validation errors.
I did that and they advise me to use the already mentioned *.cer file. "The server must trust this certificate". I'm back to the question: how do i do that? Which tool must I use?
That is absurd. Or they mean using the gateway certificate? Or... You posted this.
wget --no-check-certificate https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-opensuse/* Warning: wildcards not supported in HTTP. --2019-03-25 14:43:48-- https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-opensuse/* Connecting to 10.X.Y.Z:3128... connected. WARNING: cannot verify www.collaboraoffice.com's certificate, issued by ‘CN=mwg.MYGATEWAY.lokal,C=DE,ST=NRW,L=Steinfurt,O=Kreis Steinfurt’: Self-signed certificate encountered.
notice that you are not connecting to www.collaboraoffice.com on internet, but to a local (to you) address. And the certificate of that site is also local, from "mwg.MYGATEWAY.lokal". Unless you have redacted all those names and thus confusing us. You then would need to create a certificate authority for your intranet, and add that master certificate to your machine chain for trusting your intranet certificates. Your network admins should know how to do all that. But a self signed certificate inside your computer will not help at all, AFAIK. -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)
25.03.2019 18:04, Hermann-Josef Beckers пишет:
-----Original Message----- From: Andrei Borzenkov <arvidjaar@gmail.com> Sent: Monday, March 25, 2019 3:45 PM To: Hermann-Josef Beckers <Hermann-Josef.Beckers@kreis-steinfurt.de> Cc: oS-en <opensuse@opensuse.org> Subject: Re: [opensuse] Self signed certificate
...
You apparently have intercepting proxy that terminates SSL stream so it has access to unencrypted data. Such gateways then establish new SSL connection to final destination. Is it proxy under your control?
...
Not me personally, but by our network admins.
Well, you need to contact your admins then and ask them. If it is intentional and required by your site policy, there is not much you can do except ignoring certificate validation errors.
I did that and they advise me to use the already mentioned *.cer file. "The server must trust this certificate". I'm back to the question: how do i do that? Which tool must I use?
I do not see any point in trusting your proxy certificate (it does not verify that you actually fetch packages from the correct server anyway) so the simple solution is to disable SSL certificate verification for this repo. See man zypper, it would be something like https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-opensuse/?ssl_ver... Or just do not use HTTPS in the first place. If you insist on trusting this certificate globally, copy it into /etc/pki/trust/anchors and run update-ca-certificates. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----Original Message----- From: Andrei Borzenkov <arvidjaar@gmail.com> Sent: Monday, March 25, 2019 7:12 PM To: opensuse@opensuse.org Subject: Re: [opensuse] Self signed certificate
... ..
If you insist on trusting this certificate globally, copy it into /etc/pki/trust/anchors and run update-ca-certificates.
That helped. Thank you. Hermann-Josef N�����r��y隊Z)z{.�ﮞ˛���m�)z{.��+�: �{Zr�az�'z��j)h���Ǿ� ޮ�^�ˬz��
participants (3)
-
Andrei Borzenkov -
Carlos E. R. -
Hermann-Josef Beckers