Certificate Issues behind Corporate Proxy?

[laurencer]

When stack is pulling new packages - I'm getting the following error:

TlsException (HandshakeFailed (Error_Protocol ("certificate rejected: [SelfSigned]",True,CertificateUnknown)))

I'm assuming this is because I'm behind a corporate MITM proxy. Anyway to get it to accept my systems custom root CA?

[snoyberg]

In general stack (and the underlying tls library for Haskell) do respect system certificates. There are debugging instructions available for this at:

https://github.com/vincenthz/hs-tls/#common-issues

I have personal experience using stack in this use case, so (perhaps surprisingly) it is actually tested.

[laurencer]

Okay thanks - I'll have a look on Monday and see if I can get it working

[laurencer]

I seem to be running in to this issue here. It's fixed in the latest version of hs-certificate but I'm guessing that's not used by Stack yet. It only happens on recent versions of Mac OS X due to a way the Keychains have been changed.

The temporary fix was to add the certificate to the SystemRootCertificates Keychain (aka sudo security add-trusted-cert -d -r trustRoot -k /System/Library/Keychains/SystemRootCertificates.keychain ~/my_fancy_cert.pem), but it'd be nice in future if we didn't have to.

Any idea how to bump the version appropriately?

[snoyberg]

The certificate package is marked as deprecated in favor of x509.

@vincenthz Can you let us know which version of which package we need to upgrade to in order to get this change?

[vincenthz]

@snoyberg Since x509-system-1.6.0, the SystemRootCertificates and the /Library/Keychains/System.keychain are automatically processed as the Trusted CA Store.

@laurencer Do you know which keychains your certificate is in ?

[snoyberg]

I can confirm that stack is currently using x509-system-1.6.0: https://www.stackage.org/lts-3.0/package/x509-system-1.6.0. Thanks @vincenthz

[laurencer]

@vincenthz - I believe the certificate was in /Library/Keychains/System.keychain (before I added it to the SystemRootCertificates manually). I'll have to check when I'm next at work...

[snoyberg]

Have you had a chance to check this?

[laurencer]

Yeah I'm fairly confident it was in /Library/Keychains/System.keychain. I would have to remove it from SystemRootCertificates to be sure though (to verify the bug)...

[thsutton]

I've just done this too and can confirm @laurencer's last comment: the cert was in System and adding it to SystemRootCertificates fixes the problem.

[snoyberg]

Is this an issue that should be moved to the tls package, or is there something that Stack can do about this?

[vincenthz]

I don't think there's anything Stack can do, short of supplying an extra list of CA maybe. I need to find time to see what's going on with the System keychain, unless someone beat me to it.

[snoyberg]

OK, thanks Vincent. Closing as an upstream issue.

[vincenthz]

I'm adding a tracking ticket for this: haskell-tls/hs-certificate#68

[dmvianna]

Any chance this will be fixed for non-root users? Other languages allow users to point to .pem certificates through configuration files. In Python one can use ~/.pip/pip.conf:

[global]

cert = /home/<user>/.pip/<cert>.pem
proxy = http://<proxy-address>:<port>/

[kyrias]

Looking at the code, it should be possible by setting the SYSTEM_CERTIFICATE_PATH environment variable?

[sjakobi]

Looking at the code, it should be possible by setting the SYSTEM_CERTIFICATE_PATH environment variable?

I think that should work.