If you use the --cacert option, I think you need to make sure the pem file is a bundle of certificates, including the entire chain back to the root cert. There is also a --capath option where you can specify a directory of certificates that can be used. If using openssl, use the c_rehash command to reprocess the certificates if you've added or removed any in the directory.
On Fri, Nov 15, 2019, 11:02 AM Barry Roberts <b...@robertsr.us> wrote: > My employer, in their infinite wisdom, has implement an TLS inspection > proxy (MITM attack), and I'm trying to figure out how to get everything > working again on Fedora 30. > > I have a .pem file that I downloaded with firefox. If I use keytool to > import that into the java cacerts keystore, that fixes issues with java. > So I'm pretty sure my .pem file is good. > > But I cannot get curl to use the .pem file to trust the ZScaler's CA cert. > I've tried: > > 1. curl --cacert mitm.pem https://nodejs.org > 2. Adding the .pem file to /etc/pki/ca-trust/source/anchors/, and making > sure it's in /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem (and its > symlink /etc/pki/tls/certs/ca-bundle.crt) after running 'update-ca-trust' > 3. curl --cacert /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem > > Curl consistently complains that it can't verify the tls cert. I'm > probably missing something obvious here, but I'm stuck. Any ideas or > suggestions? > > Thanks, > Barry > > /* > PLUG: http://plug.org, #utah on irc.freenode.net > Unsubscribe: http://plug.org/mailman/options/plug > Don't fear the penguin. > */ > /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
