0

In our company, we have a proxy server with a self-signed CA certificate implementing MITM inspection. No internet connection is possible without this proxy server. My certificate installation process on a fresh install of Ubuntu server 20.04 (omitting sudo):

apt install ca-certificates
openssl x509 -inform der -in CompanyCA.cer -out CompanyCA.crt
openssl x509 -inform der -in CompanyRootCA.cer -out CompanyRootCA.crt
cp CompanyCA.crt CompanyRootCA.crt /usr/local/share/ca-certificates/
update-ca-certificates

This seems to have no effect. curl and wget still require the -k and --no-certificate-check options and apt's certificate verification fails. Timezone, date and time are set correctly.

Is there something else I could try (except ignoring it)?

symcbean
  • 21,009
  • 1
  • 31
  • 52
Green绿色
  • 101
  • 1
  • Check if the certificate has been added to /etc/ssl/certs/ca-certificates.crt, if not run update-ca-certificates with `-v` – symcbean Jun 20 '23 at 14:10
  • also check that the cert and chain is the one you expect with `openssl s_client -connect -showcerts`, or with `curl --cacert` – captainmish Jun 20 '23 at 15:30
  • I suggest you also check the system logs for any error messages related to the certificate validation process. It's possible that there's another issue causing these errors. – Alexander Pavluchenko Jun 20 '23 at 15:34
  • @AlexanderPavluchenko Check the system logs with `dmesg`? I already checked `dmesg`, but didn't spot any errors relating to `apt`. – Green绿色 Jun 21 '23 at 01:28
  • @symcbean I verified both certificates are in `/etc/ssl/certs/ca-certificates.crt`. But `curl` and `apt` still are complaining. – Green绿色 Jun 21 '23 at 01:42
  • I solved this by copying over the certificates from another machine. Our company-internal docs are apparently outdated and are recommending old certificates. – Green绿色 Jun 21 '23 at 01:52

0 Answers0