8

I'm using gcloud on Windows to develop GAE stuff. The network here has a MITM root certificate by design so all SSL traffic can be snooped; I can install the root cert easily into a browser or Windows certificate store, but can't successfully get this work for Python, or more specifically, gcloud (which has its own Python bundled). The answers at How to add a custom CA Root certificate to the CA Store used by Python in Windows? don't work - I've tried setting SSL_CERT_DIR and SSL_CERT_FILE environment variables to no avail, and the pip.ini solution isn't applicable as I'm not using pip.

askvictor
  • 3,621
  • 4
  • 32
  • 45
  • Try setting the `custom_ca_certs_file` core property using [gcloud config set](https://cloud.google.com/sdk/gcloud/reference/config/set). – Dan Cornilescu Mar 15 '18 at 23:28
  • @DanCornilescu - have just tried it, with no success. However, I'm uncertain what format the cert should be in, and what type of path seperators are expected (/ \ or \\). I tried a couple of variations with no success. – askvictor Mar 16 '18 at 00:08
  • Search in the SDK dir for files with names ending in `cacerts.txt` and follow their example. Like `lib/third_party/httplib2/cacerts.txt` – Dan Cornilescu Mar 16 '18 at 00:58
  • As you guessed, I'm not on Windows, but you get the idea... :) – Dan Cornilescu Mar 16 '18 at 01:00
  • So it's PEM format, but that didn't work for me using the cusrom_ca_certs_file option. Neither did appending the cert onto the end of cacerts.txt (I tried the ones in httplib2 and gsutil) – askvictor Mar 16 '18 at 02:46
  • Sorry to hear that :( – Dan Cornilescu Mar 16 '18 at 06:10

2 Answers2

7

Assuming all your credential setup is in order, for MITM you likely also need to set proxy settings, for instance

gcloud config set proxy/address 127.0.0.1
gcloud config set proxy/port 8080
gcloud config set proxy/type http

replacing address/port for your MITM and then tell the SDK to trust your local certificate authority:

gcloud config set core/custom_ca_certs_file cert.pem

Test by running some command, for example

gcloud projects list

You can use --log-http additional gcloud flag and/or tools like burp to further debug what certs/proxies are being used.

Chris Adams
  • 4,966
  • 1
  • 30
  • 28
cherba
  • 8,681
  • 3
  • 27
  • 34
  • The proxy here is transparent, so that isn't required. I've tried the custom_ca_certs_file setting (in the comments of the question) to no effect. Disabling SSL validation does work, but I don't like that as a long term solution for obvious reasons. --log-http doesn't show anything insightful, and I don't have the time at this stage to learn how to use burp. – askvictor Mar 18 '18 at 23:33
  • 2
    it would be nice to have a flag in gcloud to provide more verbose details about security certs – askvictor Mar 18 '18 at 23:48
1

The previous answer works for gcloud, but does not work with gsutil. gsutil currently ignores whatever value for ca certificates you have in the gcloud config, so you must add it to your boto config file. (on a gcp instance it's /etc/boto.cfg). Add these lines:

   [Boto]
   ca_certificates_file = /path/to/cert.pem
l33tn00b
  • 71
  • 3