Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Certificate Issues behind Corporate Proxy? #907

Closed
laurencer opened this issue Sep 3, 2015 · 17 comments
Closed

Certificate Issues behind Corporate Proxy? #907

laurencer opened this issue Sep 3, 2015 · 17 comments
Milestone

Comments

@laurencer
Copy link

@laurencer laurencer commented Sep 3, 2015

When stack is pulling new packages - I'm getting the following error:

TlsException (HandshakeFailed (Error_Protocol ("certificate rejected: [SelfSigned]",True,CertificateUnknown)))

I'm assuming this is because I'm behind a corporate MITM proxy. Anyway to get it to accept my systems custom root CA?

@snoyberg
Copy link
Contributor

@snoyberg snoyberg commented Sep 3, 2015

In general stack (and the underlying tls library for Haskell) do respect system certificates. There are debugging instructions available for this at:

https://github.com/vincenthz/hs-tls/#common-issues

I have personal experience using stack in this use case, so (perhaps surprisingly) it is actually tested.

@snoyberg snoyberg added this to the Support milestone Sep 3, 2015
@laurencer
Copy link
Author

@laurencer laurencer commented Sep 5, 2015

Okay thanks - I'll have a look on Monday and see if I can get it working

@laurencer
Copy link
Author

@laurencer laurencer commented Sep 6, 2015

I seem to be running in to this issue here. It's fixed in the latest version of hs-certificate but I'm guessing that's not used by Stack yet. It only happens on recent versions of Mac OS X due to a way the Keychains have been changed.

The temporary fix was to add the certificate to the SystemRootCertificates Keychain (aka sudo security add-trusted-cert -d -r trustRoot -k /System/Library/Keychains/SystemRootCertificates.keychain ~/my_fancy_cert.pem), but it'd be nice in future if we didn't have to.

Any idea how to bump the version appropriately?

@snoyberg
Copy link
Contributor

@snoyberg snoyberg commented Sep 7, 2015

The certificate package is marked as deprecated in favor of x509.

@vincenthz Can you let us know which version of which package we need to upgrade to in order to get this change?

@vincenthz
Copy link
Contributor

@vincenthz vincenthz commented Sep 7, 2015

@snoyberg Since x509-system-1.6.0, the SystemRootCertificates and the /Library/Keychains/System.keychain are automatically processed as the Trusted CA Store.

@laurencer Do you know which keychains your certificate is in ?

@snoyberg
Copy link
Contributor

@snoyberg snoyberg commented Sep 7, 2015

I can confirm that stack is currently using x509-system-1.6.0: https://www.stackage.org/lts-3.0/package/x509-system-1.6.0. Thanks @vincenthz

@laurencer
Copy link
Author

@laurencer laurencer commented Sep 11, 2015

@vincenthz - I believe the certificate was in /Library/Keychains/System.keychain (before I added it to the SystemRootCertificates manually). I'll have to check when I'm next at work...

@snoyberg
Copy link
Contributor

@snoyberg snoyberg commented Sep 21, 2015

Have you had a chance to check this?

@laurencer
Copy link
Author

@laurencer laurencer commented Sep 21, 2015

Yeah I'm fairly confident it was in /Library/Keychains/System.keychain. I would have to remove it from SystemRootCertificates to be sure though (to verify the bug)...

@thsutton
Copy link

@thsutton thsutton commented Sep 24, 2015

I've just done this too and can confirm @laurencer's last comment: the cert was in System and adding it to SystemRootCertificates fixes the problem.

@snoyberg
Copy link
Contributor

@snoyberg snoyberg commented Sep 30, 2015

Is this an issue that should be moved to the tls package, or is there something that Stack can do about this?

@vincenthz
Copy link
Contributor

@vincenthz vincenthz commented Sep 30, 2015

I don't think there's anything Stack can do, short of supplying an extra list of CA maybe. I need to find time to see what's going on with the System keychain, unless someone beat me to it.

@snoyberg
Copy link
Contributor

@snoyberg snoyberg commented Sep 30, 2015

OK, thanks Vincent. Closing as an upstream issue.

@snoyberg snoyberg closed this Sep 30, 2015
@vincenthz
Copy link
Contributor

@vincenthz vincenthz commented Sep 30, 2015

I'm adding a tracking ticket for this: vincenthz/hs-certificate#68

@dmvianna
Copy link

@dmvianna dmvianna commented Mar 17, 2016

Any chance this will be fixed for non-root users? Other languages allow users to point to .pem certificates through configuration files. In Python one can use ~/.pip/pip.conf:

[global]

cert = /home/<user>/.pip/<cert>.pem
proxy = http://<proxy-address>:<port>/
@kyrias
Copy link

@kyrias kyrias commented May 6, 2016

Looking at the code, it should be possible by setting the SYSTEM_CERTIFICATE_PATH environment variable?

@sjakobi
Copy link
Member

@sjakobi sjakobi commented Jul 14, 2016

Looking at the code, it should be possible by setting the SYSTEM_CERTIFICATE_PATH environment variable?

I think that should work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
7 participants