8

I am working with Debian, installed on Windows through WSL and I am having some annoying problems with certificates. I am behind a corporate network and not entirely sure how is setup (proxy, self signed cert...)

There are quite a lot of actions that are failing to validate a certificate, even a simple sudo apt update is returning the following for some repositories: CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none.

Similar results with cURL, wget etc...

Since everything works perfectly on Windows, I tried to import the certificates from it.

Running openssl s_client -connect someDomainHere.com:443 </dev/null would give me the root certificate name, then moving it to /usr/local/share/ca-certificates/ and finally sudo update-ca-certificates does not change anything...

I would be very grateful is someone has an idea since I have no moer tricks left :)

Thanks

EDIT: forgot to mentioned I also tried to update and reinstall the ca-certificates

Improve this question

1 Answer 1

Reset to default
4

I'm not sure, which commands you tried exactly (as the case may be, my hints are less helpfull).

1. this commands works for me (without DPI-Firwall)

sudo apt-get update
sudo apt-get install wget ca-certificates

https://docs.microsoft.com/en-gb/windows/wsl/tutorials/wsl-vscode#update-your-linux-distribution

2. If your firewall proxy is using HTTPS Inspection (DPI) then make sure, it's "Certificate Trust chain" is installed

Please attend carefully (Certificates must have a .crt extension) https://manpages.debian.org/stretch/ca-certificates/update-ca-certificates.8.en.html

There are different ways to get the chain, for example via web-browser.

(or not tested:

openssl s_client -servername example.com -connect example.com:443 </dev/null 2>/dev/null | openssl x509 -text

example.com stands for any server behind the firewall)

3. If you use wsl2: check if you are affected by a wsl2-bug with automatic generation of /etc/resolv.conf (wrong nameserver address)

To identify the correct IP-Address you can use this powershell cmdlet:

Get-DnsClientServerAddress -AddressFamily ipv4 | Select-Object -ExpandProperty ServerAddresses
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.