Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[Solved] Help with Trust Certificates
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
gfaccin
Tux's lil' helper
Tux's lil' helper


Joined: 20 Aug 2004
Posts: 111

PostPosted: Fri Jun 30, 2017 4:15 pm    Post subject: [Solved] Help with Trust Certificates Reply with quote

Hi all,

In my workplace I work basically under the surveillance of The Big Brother. :cry:

Everyone uses Windows and is required to install network certificates, named SonicWall_DPI-SSL_CA.cer and dpi-ssl-2048-sha2.cer, from SonicWall Inc.

I'm the only one using Gentoo because I don't want Windows. I need to be free to work (really, not doing anything wrong, just need my apps and linux programming environment).

I've installed those pesky certificates in Firefox in order to access the web.

My problem is with portage: whenever I try to install software that is downloaded by portage using wget, errors like this happen:

Code:

arara gfaccin # layman -L

 * Fetching remote list...
 * Warning: an installed db file was not found at: ['/var/lib/layman/cache_930c3ed4a5f89f74fd810585751a06e3.xml']
 * Connector.connect_url(); Failed to update the mirror list from: https://api.gentoo.org/overlays/repositories.xml
 * SSLError was:[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)


I know that I can install certificates in /usr/local/share/ca-certificates. However, that location takes certificates in a different format than the .cer files that I've got, and I don't know how to convert them from the Windows .cer format to a linux compatible one.

I've also tried to customize the wget command used by emerge in order to ignore certificates; something like this in /etc/portage/make.conf:
Code:

FETCHCOMMAND="/usr/bin/wget --no-check-certificate \${URI} -P \${DISTDIR}/\${FILE}"
RESUMECOMMAND="/usr/bin/wget -c --no-check-certificate \${URI} -P \${DISTDIR}/\${FILE}"


However that fails because the file download by emerge is saved as a directory. It would be fixed, it appears, by removing the \${FILE} in the command, but emerge does not accept that possibility.

Can anyone please guide me in order to have emerge and layman working in a network that requires these certificates?

Thank you!


Last edited by gfaccin on Wed Jul 05, 2017 9:33 pm; edited 1 time in total
Back to top
View user's profile Send private message
wolvie
n00b
n00b


Joined: 01 Mar 2004
Posts: 27

PostPosted: Fri Jun 30, 2017 8:48 pm    Post subject: Reply with quote

if you need to convert the certificates format this should do the trick:

Code:
openssl x509 -inform der -in certificate.cer -out certificate.pem
Back to top
View user's profile Send private message
gfaccin
Tux's lil' helper
Tux's lil' helper


Joined: 20 Aug 2004
Posts: 111

PostPosted: Fri Jun 30, 2017 9:13 pm    Post subject: Reply with quote

Thanks for the reply wolvie!

I tried to convert the certificates here at home (will be able to test definitively at work next Monday). One of the certificates converted out of the box.

The other one returned an error:

Code:

gfaccin@piranha ~/ufgd/VPN $ openssl x509 -inform der -in SonicWall_DPI-SSL_CA.cer -out SonicWall_DPI-SSL_CA.pem
unable to load certificate
139964553229976:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1199:
139964553229976:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:374:Type=X509


Would you have any guidance on this one? Thanks!
Back to top
View user's profile Send private message
wolvie
n00b
n00b


Joined: 01 Mar 2004
Posts: 27

PostPosted: Fri Jun 30, 2017 9:27 pm    Post subject: Reply with quote

hmmm.. seems the second one isn't in DER format.

try to read the certificate info with openssl with

Code:
openssl x509 -in  SonicWall_DPI-SSL_CA.cer -text -noout
Back to top
View user's profile Send private message
gfaccin
Tux's lil' helper
Tux's lil' helper


Joined: 20 Aug 2004
Posts: 111

PostPosted: Fri Jun 30, 2017 9:32 pm    Post subject: Reply with quote

wolvie wrote:
hmmm.. seems the second one isn't in DER format.

try to read the certificate info with openssl with

Code:
openssl x509 -in  SonicWall_DPI-SSL_CA.cer -text -noout


Here's the output:

Code:

gfaccin@piranha ~/ufgd/VPN $ openssl x509 -in  SonicWall_DPI-SSL_CA.cer -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            c0:a8:73:0e:ce:72:9d:bf
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=CA, O=SonicWALL Inc., CN=SonicWALL Firewall DPI-SSL
        Validity
            Not Before: Mar  9 21:39:20 2009 GMT
            Not After : Mar  4 21:39:20 2029 GMT
        Subject: C=US, ST=CA, O=SonicWALL Inc., CN=SonicWALL Firewall DPI-SSL
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:cf:52:af:45:62:33:d5:1f:40:33:c4:d7:5d:74:
                    bd:0a:59:91:b0:4c:25:d5:16:4c:67:28:9b:1f:25:
                    93:ff:23:7b:7f:0e:f8:68:eb:4b:5c:c4:6f:0c:3b:
                    24:9f:46:10:cf:0f:62:73:f1:37:da:40:98:28:6d:
                    48:dc:b9:6e:f8:90:74:da:97:7c:03:21:4b:14:47:
                    20:28:38:94:57:2c:6b:de:5b:ce:84:66:d5:4c:c3:
                    d3:d8:d7:aa:c2:50:3b:c0:51:e9:b9:8b:13:e5:d9:
                    62:70:3f:40:5f:96:ed:a8:a7:e7:cf:56:90:24:b7:
                    11:1f:60:a6:dc:2e:c3:af:37
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                57:40:CF:79:DA:79:91:21:46:95:20:E0:C7:C3:D8:38:3D:DE:79:A8
            X509v3 Authority Key Identifier:
                keyid:57:40:CF:79:DA:79:91:21:46:95:20:E0:C7:C3:D8:38:3D:DE:79:A8
                DirName:/C=US/ST=CA/O=SonicWALL Inc./CN=SonicWALL Firewall DPI-SSL
                serial:C0:A8:73:0E:CE:72:9D:BF

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
         a6:92:04:62:1f:c0:35:af:a8:a7:d2:ed:e2:02:a1:41:ba:23:
         43:76:4a:9e:7d:53:99:01:42:c4:a6:5c:74:d3:f9:04:4d:1e:
         66:dc:83:ae:ac:6f:a9:2a:59:f8:4a:63:69:95:98:31:03:af:
         e5:76:bf:b0:3e:05:d0:0f:bd:a6:6d:75:07:0c:b2:1a:49:ea:
         e7:8c:c8:4d:0b:53:31:85:51:a2:5d:31:8b:c9:82:f6:50:bb:
         f9:da:69:3c:10:8c:d8:43:19:3b:0d:67:cb:26:a0:ae:53:26:
         79:f7:eb:29:91:0b:b8:d2:e4:d9:5f:5e:03:73:fb:8c:d7:8d:
         9b:26
gfaccin@piranha ~/ufgd/VPN $

Back to top
View user's profile Send private message
wolvie
n00b
n00b


Joined: 01 Mar 2004
Posts: 27

PostPosted: Fri Jun 30, 2017 9:37 pm    Post subject: Reply with quote

looks like the certificate is already in PEM format, no need to convert, it might have some garbage before the
Code:
-----BEGIN CERTIFICATE-----

if it does not get accepted try to make a copy of it and remove anything before that line and try again :)
Back to top
View user's profile Send private message
gfaccin
Tux's lil' helper
Tux's lil' helper


Joined: 20 Aug 2004
Posts: 111

PostPosted: Fri Jun 30, 2017 10:05 pm    Post subject: Reply with quote

I'll try just renaming it.

The contents of the file, as shown in a text editor, are these:

Code:

-----BEGIN CERTIFICATE-----
MIIC6zCCAlSgAwIBAgIJAMCocw7Ocp2/MA0GCSqGSIb3DQEBBQUAMFgxCzAJBgNV
BAYTAlVTMQswCQYDVQQIEwJDQTEXMBUGA1UEChMOU29uaWNXQUxMIEluYy4xIzAh
BgNVBAMTGlNvbmljV0FMTCBGaXJld2FsbCBEUEktU1NMMB4XDTA5MDMwOTIxMzky
MFoXDTI5MDMwNDIxMzkyMFowWDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRcw
FQYDVQQKEw5Tb25pY1dBTEwgSW5jLjEjMCEGA1UEAxMaU29uaWNXQUxMIEZpcmV3
YWxsIERQSS1TU0wwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM9Sr0ViM9Uf
QDPE1110vQpZkbBMJdUWTGcomx8lk/8je38O+GjrS1zEbww7JJ9GEM8PYnPxN9pA
mChtSNy5bviQdNqXfAMhSxRHICg4lFcsa95bzoRm1UzD09jXqsJQO8BR6bmLE+XZ
YnA/QF+W7ain589WkCS3ER9gptwuw683AgMBAAGjgbwwgbkwHQYDVR0OBBYEFFdA
z3naeZEhRpUg4MfD2Dg93nmoMIGJBgNVHSMEgYEwf4AUV0DPedp5kSFGlSDgx8PY
OD3eeaihXKRaMFgxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEXMBUGA1UEChMO
U29uaWNXQUxMIEluYy4xIzAhBgNVBAMTGlNvbmljV0FMTCBGaXJld2FsbCBEUEkt
U1NMggkAwKhzDs5ynb8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCm
kgRiH8A1r6in0u3iAqFBuiNDdkqefVOZAULEplx00/kETR5m3IOurG+pKln4SmNp
lZgxA6/ldr+wPgXQD72mbXUHDLIaSernjMhNC1MxhVGiXTGLyYL2ULv52mk8EIzY
Qxk7DWfLJqCuUyZ59+spkQu40uTZX14Dc/uM142bJg==
-----END CERTIFICATE-----


So there's no garbage.

Now one question: will wget automatically accept these certificates once they are in the certificates folder?
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5917

PostPosted: Fri Jun 30, 2017 10:34 pm    Post subject: Reply with quote

Put the PEM files in /usr/local/share/ca-certificates and then run update-ca-certificates.
Back to top
View user's profile Send private message
wolvie
n00b
n00b


Joined: 01 Mar 2004
Posts: 27

PostPosted: Fri Jun 30, 2017 10:36 pm    Post subject: Reply with quote

just drop the files on

Code:
/usr/local/share/ca-certificates/


you can (should) create a directory inside it to keep certs organized and them run

Code:
update-ca-certificates

or
Code:
emerge app-misc/ca-certificates
Back to top
View user's profile Send private message
gfaccin
Tux's lil' helper
Tux's lil' helper


Joined: 20 Aug 2004
Posts: 111

PostPosted: Wed Jul 05, 2017 9:34 pm    Post subject: Reply with quote

I'm at work now and it seens that the situation is fixed! Thank you all!

Changing the post topic to Solved.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum