New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Certificate Issues behind Corporate Proxy? #907

Closed
laurencer opened this Issue Sep 3, 2015 · 17 comments

Comments

Projects
None yet
7 participants
@laurencer

laurencer commented Sep 3, 2015

When stack is pulling new packages - I'm getting the following error:

TlsException (HandshakeFailed (Error_Protocol ("certificate rejected: [SelfSigned]",True,CertificateUnknown)))

I'm assuming this is because I'm behind a corporate MITM proxy. Anyway to get it to accept my systems custom root CA?

@snoyberg

This comment has been minimized.

Contributor

snoyberg commented Sep 3, 2015

In general stack (and the underlying tls library for Haskell) do respect system certificates. There are debugging instructions available for this at:

https://github.com/vincenthz/hs-tls/#common-issues

I have personal experience using stack in this use case, so (perhaps surprisingly) it is actually tested.

@snoyberg snoyberg added this to the Support milestone Sep 3, 2015

@laurencer

This comment has been minimized.

laurencer commented Sep 5, 2015

Okay thanks - I'll have a look on Monday and see if I can get it working

@laurencer

This comment has been minimized.

laurencer commented Sep 6, 2015

I seem to be running in to this issue here. It's fixed in the latest version of hs-certificate but I'm guessing that's not used by Stack yet. It only happens on recent versions of Mac OS X due to a way the Keychains have been changed.

The temporary fix was to add the certificate to the SystemRootCertificates Keychain (aka sudo security add-trusted-cert -d -r trustRoot -k /System/Library/Keychains/SystemRootCertificates.keychain ~/my_fancy_cert.pem), but it'd be nice in future if we didn't have to.

Any idea how to bump the version appropriately?

@snoyberg

This comment has been minimized.

Contributor

snoyberg commented Sep 7, 2015

The certificate package is marked as deprecated in favor of x509.

@vincenthz Can you let us know which version of which package we need to upgrade to in order to get this change?

@vincenthz

This comment has been minimized.

Contributor

vincenthz commented Sep 7, 2015

@snoyberg Since x509-system-1.6.0, the SystemRootCertificates and the /Library/Keychains/System.keychain are automatically processed as the Trusted CA Store.

@laurencer Do you know which keychains your certificate is in ?

@snoyberg

This comment has been minimized.

Contributor

snoyberg commented Sep 7, 2015

I can confirm that stack is currently using x509-system-1.6.0: https://www.stackage.org/lts-3.0/package/x509-system-1.6.0. Thanks @vincenthz

@laurencer

This comment has been minimized.

laurencer commented Sep 11, 2015

@vincenthz - I believe the certificate was in /Library/Keychains/System.keychain (before I added it to the SystemRootCertificates manually). I'll have to check when I'm next at work...

@snoyberg

This comment has been minimized.

Contributor

snoyberg commented Sep 21, 2015

Have you had a chance to check this?

@laurencer

This comment has been minimized.

laurencer commented Sep 21, 2015

Yeah I'm fairly confident it was in /Library/Keychains/System.keychain. I would have to remove it from SystemRootCertificates to be sure though (to verify the bug)...

@thsutton

This comment has been minimized.

thsutton commented Sep 24, 2015

I've just done this too and can confirm @laurencer's last comment: the cert was in System and adding it to SystemRootCertificates fixes the problem.

@snoyberg

This comment has been minimized.

Contributor

snoyberg commented Sep 30, 2015

Is this an issue that should be moved to the tls package, or is there something that Stack can do about this?

@vincenthz

This comment has been minimized.

Contributor

vincenthz commented Sep 30, 2015

I don't think there's anything Stack can do, short of supplying an extra list of CA maybe. I need to find time to see what's going on with the System keychain, unless someone beat me to it.

@snoyberg

This comment has been minimized.

Contributor

snoyberg commented Sep 30, 2015

OK, thanks Vincent. Closing as an upstream issue.

@snoyberg snoyberg closed this Sep 30, 2015

@vincenthz

This comment has been minimized.

Contributor

vincenthz commented Sep 30, 2015

I'm adding a tracking ticket for this: vincenthz/hs-certificate#68

@dmvianna

This comment has been minimized.

dmvianna commented Mar 17, 2016

Any chance this will be fixed for non-root users? Other languages allow users to point to .pem certificates through configuration files. In Python one can use ~/.pip/pip.conf:

[global]

cert = /home/<user>/.pip/<cert>.pem
proxy = http://<proxy-address>:<port>/
@kyrias

This comment has been minimized.

kyrias commented May 6, 2016

Looking at the code, it should be possible by setting the SYSTEM_CERTIFICATE_PATH environment variable?

@sjakobi

This comment has been minimized.

Contributor

sjakobi commented Jul 14, 2016

Looking at the code, it should be possible by setting the SYSTEM_CERTIFICATE_PATH environment variable?

I think that should work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment