[Ubuntu] 將 mitmproxy Root CA 憑證加入信任清單
之前有寫一篇 [Mac] 將 mitmproxy Root CA 憑證加入信任清單,
今天因為想要在 Ubuntu 上,
用 mitmproxy 查看 Hybrid Golang Samples 它送出的 HTTPS 請求,
因此得把 mitmproxy 的 Root CA 憑證也加到 Ubuntu 的信任清單~
先在 Ubuntu 上執行 mitmproxy,
然後透過 mitmproxy,用 curl 去連 www.google.com 看看…
如預期的收到了錯誤訊息 self signed certificate in certificate chain,
因為 mitmproxy Root CA 並不被信任:
$ curl -L -v -x http://127.0.0.1:8080 https://www.google.com * Trying 127.0.0.1:8080... * TCP_NODELAY set * Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0) * allocate connect buffer! * Establish HTTP proxy tunnel to www.google.com:443 > CONNECT www.google.com:443 HTTP/1.1 > Host: www.google.com:443 > User-Agent: curl/7.68.0 > Proxy-Connection: Keep-Alive > < HTTP/1.1 200 Connection established < * Proxy replied 200 to CONNECT request * CONNECT phase completed! * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * CONNECT phase completed! * CONNECT phase completed! * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (OUT), TLS alert, unknown CA (560): * SSL certificate problem: self signed certificate in certificate chain * Closing connection 0 curl: (60) SSL certificate problem: self signed certificate in certificate chain More details here: https://curl.haxx.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.
將 mitmproxy 的 Root CA 憑證複製到 /usr/local/share/ca-certificates 目錄下,
副檔名記得要改成 .crt,不然待會的步驟會失敗:
sudo cp ~/.mitmproxy/mitmproxy-ca-cert.cer /usr/local/share/ca-certificates/mitmproxy-ca-cert.crt
執行 sudo update-ca-certificates
,
這會在 /etc/ssl/certs 目錄下製作一個符號連結 (symbolic link) ,
指向 /usr/local/share/ca-certificates 目錄下的 *.crt 檔案。
這裡應該要看到 1 added
,如果沒看到的話,
除非之前已經加過了,不然就是沒有加成功:
$ sudo update-ca-certificates Updating certificates in /etc/ssl/certs... rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL 1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d... done.
再試一次 curl,這次就可以順利連上 www.google.com 了:
$ curl -L -v -x http://127.0.0.1:8080 https://www.google.com * Trying 127.0.0.1:8080... * TCP_NODELAY set * Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0) * allocate connect buffer! * Establish HTTP proxy tunnel to www.google.com:443 > CONNECT www.google.com:443 HTTP/1.1 > Host: www.google.com:443 > User-Agent: curl/7.68.0 > Proxy-Connection: Keep-Alive > < HTTP/1.1 200 Connection established < * Proxy replied 200 to CONNECT request * CONNECT phase completed! * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * CONNECT phase completed! * CONNECT phase completed! * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.3 (IN), TLS handshake, Finished (20): * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 * ALPN, server accepted to use h2 * Server certificate: * subject: CN=www.google.com * start date: Jul 20 03:01:24 2022 GMT * expire date: Jul 21 03:01:24 2024 GMT * subjectAltName: host "www.google.com" matched cert's "www.google.com" * issuer: CN=mitmproxy; O=mitmproxy * SSL certificate verify ok. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0x559765bf2b00) > GET / HTTP/2 > Host: www.google.com > user-agent: curl/7.68.0 > accept: */* > * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * old SSL session ID is stale, removing * Connection state changed (MAX_CONCURRENT_STREAMS == 100)! < HTTP/2 200 < date: Fri, 22 Jul 2022 03:01:25 GMT ......
參考資料:
Ubuntu Manpage: update-ca-certificates – update /etc/ssl/certs and ca-certificates.crt
(本頁面已被瀏覽過 772 次)