CURL does not recognize certificate

curlhttpsnixosPROXYssl

At our company they enforce a web proxy which breaks SSL connections and replaces the certificate by its own fake certificate. (To be precise it uses a proxy cert which is signed by the company cert.)

In order to download from a https URL I therefore have to make my system trust that fake certificate (or disable certificate checking).

I therefore added both the proxy cert and the company cert to both /etc/ssl/certs/ca-bundle.crt and /etc/ssl/certs/ca-certificates.crt. (Both link to the same file.)

Now downloading with wget works fine, however downloading with curl does not work, because curl is not able to verify the certificate:

* Rebuilt URL to: https://company.net/
* Hostname was NOT found in DNS cache
*   Trying 172.18.111.111...
* Connected to 172.18.111.111 (172.18.111.111) port 3128 (#0)
* Establish HTTP proxy tunnel to company.net:443
> CONNECT company.net:443 HTTP/1.1
> Host: company.net:443
> User-Agent: curl/7.39.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied OK to CONNECT request
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-bundle.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: self signed certificate in certificate chain
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate in certificate chain

What might be wrong? How can I debug further?

Best Answer

You need to tell nix about the certs, like so:

security.pki.certificates = [''cert strings go here in PEM format''];

i.e.:

 security.pki.certificates = [
    ''

      -----BEGIN CERTIFICATE-----
<CUT>
      -----END CERTIFICATE-----
    ''
 ];

You can add many of them if you so choose. This will add the included certs to the system cert store, and curl should then use them without any extra command line args.

Related Solutions

Does curl have a –no-check-certificate option like wget

Yes. From the manpage:

-k, --insecure

(TLS) By default, every SSL connection curl makes is verified to be secure. This option allows curl to proceed and operate even for server connections otherwise considered insecure.

The server connection is verified by making sure the server's certificate contains the right name and verifies successfully using the cert store.

See this online resource for further details: https://curl.haxx.se/docs/sslcerts.html

See also --proxy-insecure and --cacert.

The reference mentioned in that manpage entry describes some of the specific behaviors of -k .

These behaviors can be observed with curl requests to test pages from BadSSL.com

curl -X GET https://wrong.host.badssl.com/
curl: (51) SSL: no alternative certificate subject name matches target host name 'wrong.host.badssl.com'

curl -k -X GET https://wrong.host.badssl.com/
..returns HTML content...

How to make a self-signed certificate persist in nixos

You didn't specify what certfile looks like in the first line. If it's a variable thats populated with a builtins.readFile, you can skip that step and just populate the variable yourself.

$> nixos-option security.pki.certificates
Value:
[ "-----BEGIN CERTIFICATE-----
... edited for brevity .... " ]

Default:
[ ]

Example:
[ "NixOS.org\n=========\n-----BEGIN CERTIFICATE-----\nMIIGUDCCBTigAwIBAgIDD8KWMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ\nTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0\n...\n-----END CERTIFICATE-----\n" ]

Description:

A list of trusted root certificates in PEM format.

Declared by:
  "/etc/nixos/nixpkgs/nixos/modules/security/ca.nix"

Defined by:
  "/etc/nixos/user.nix

So, setting security.pki.certificates [ "insert certificate here" ]; would eliminate the file dependency and then the configuration is self contained.

Otherwise, if you wanted to keep the content out of the configuration, you'd need to create packaging/a derivation for it and add it to the store.

Related Question