0

I work for a client where they have a self signed mitm ssl decrypt cert in their firewall. They use a Windows server to run some apps. I need to configure the cert for all the package manage softwares like git, npm, maven, conda, pip in order to let these softwares to download contents.

For example, in order to use git, I had to follow this guide https://mattferderer.com/fix-git-self-signed-certificate-in-certificate-chain-on-windows to export the cert from chrome and then modify the .gitconfig file in C:\Users\X999999\.gitconfig. Since I also need to run jenkins as a SYSTEM service, I also need to modify the .gitconfig in C:\Windows\System32\config\systemprofile\.gitconfig. The modified content is like this:

[http]
    sslCAInfo = C:\\sslcert\\2020-ssl-decrypt.cer

Another example, in order to use npm, I had to follow this guide How to fix SSL certificate error when running Npm on Windows? to modify the .npmrc both in C:\Users\X999999\.npmrc and in C:\Windows\System32\config\systemprofile\.npmrc as follows:

cafile=C:\sslcert\2020-ssl-decrypt.cer

It worked well for a few days. The problem is today I found I can't use npm! It shows this error:

npm install coffee-script
npm ERR! code UNABLE_TO_GET_ISSUER_CERT_LOCALLY
npm ERR! errno UNABLE_TO_GET_ISSUER_CERT_LOCALLY
npm ERR! request to https://registry.npmjs.org/coffee-script failed, reason: unable to get local issuer certificate

npm ERR! A complete log of this run can be found in:
npm ERR!     C:\Users\X999999\AppData\Roaming\npm-cache\_logs\2020-12-10T05_59_28_281Z-debug.log

Then tried to open https://registry.npmjs.org/ using chrome and checked the certificates. It appears there is no longer the 2020-ssl-decrypt in the Certification Path. Then I removed this line cafile=C:\sslcert\2020-ssl-decrypt.cer in .npmrc file and the npm works again. So it appears the firewall has disabled the ssl cert for the site registry.npmjs.org today.

I also remembered a few months ago, I also don't need to configure the cert for git to access github.com. So it appears the firewalls' behavior are wired or its' configures are changing back and forth.

So is there a way (script or something) to let these package manage softwares (git, npm, maven, conda, pip) to automatically detect whether a site need the cert and use the cert? I know setting to disable the SSL cert verify for git or npm can avoid these issue, but it's not secure.

Also, I noticed the 2020-ssl-decrypt.cer exported from chrome is only valid from Feb 2020 to Feb 2021. So is there any script or method to automatically export the cert after it expires?

Nublia
  • 35
  • 5
  • *"automatically detect whether a site need the cert and use the cert"* - aren't you basically asking that all of these apps should trust an arbitrary cert, which is the same as disabling certificate validation. Or how should these apps determine if this specific MITM cert they got should be trusted or not? Let the apps detect the cert is the wrong approach regarding trust relationships. Instead these apps just be provided the relevant CA up-front, the same as it is done for the browser. – Steffen Ullrich Dec 10 '20 at 07:49
  • @SteffenUllrich Not an arbitrary cert. I have already exported the `2020-ssl-decrypt.cer` cert. I want a script that if a site need this cert to connect, add it. If not, remove the the configs in the `.gitconfig` or `.npmrc` file. – Nublia Dec 10 '20 at 09:15

0 Answers0