Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Adding a custom CA Root certificate to GCloud utility (or Python generally) on Windows

Tags:

python

windows

ssl

google-app-engine

gcloud

I'm using gcloud on Windows to develop GAE stuff. The network here has a MITM root certificate by design so all SSL traffic can be snooped; I can install the root cert easily into a browser or Windows certificate store, but can't successfully get this work for Python, or more specifically, gcloud (which has its own Python bundled). The answers at How to add a custom CA Root certificate to the CA Store used by Python in Windows? don't work - I've tried setting SSL_CERT_DIR and SSL_CERT_FILE environment variables to no avail, and the pip.ini solution isn't applicable as I'm not using pip.

like image 396
askvictor Avatar asked Mar 15 '18 22:03

askvictor

People also ask

How do I install a CA certificate in Python?

. The command to install the certificate with Python on Windows automatically includes PIP and Certifi (the default certificate bundle for certificate validation). Install the certifi package. Open Powershell. The http.sslcainfo defines the CA Certificate store.

How to point to a custom CA file in GCloud?

You need to set the following property to point to your custom CA file: For a full description of related properties, run gcloud topic configurations or gcloud config set and look for proxy under the Available properties section.

How do I import a new root certificate into Windows?

New root certificates can easily be imported into Windows via Active Directory. However, if you do not have Active Directory enabled on your Windows machines, this is how you manually import your certificate: Change your certificate’s file name extension from .pem to .crt and open the file.

How do I install a certificate on Linux?

Installing the root certificate on a Linux PC is straight forward: sudo mkdir /usr/local/share/ca-certificates/extra sudo cp root.cert.pem /usr/local/share/ca-certificates/extra/root.cert.crt sudo update-ca-certificates. After these steps the new CA is known by system utilities like curl and get. Unfortunately, this does not affect most web ...

1 Answers

Assuming all your credential setup is in order, for MITM you likely also need to set proxy settings, for instance

gcloud config set proxy/address 127.0.0.1
gcloud config set proxy/port 8080
gcloud config set proxy/type http

replacing address/port for your MITM and then either one of these:

gcloud config set auth/disable_ssl_validation  True

or

gcloud config set core/custom_ca_certs_file cert.pem

Test by running some command, for example

gcloud projects list

You can use --log-http additional gcloud flag and/or tools like burp to further debug what certs/proxies are being used.

like image 98
cherba Avatar answered Oct 08 '22 20:10

cherba
Sign in to Comment

Related questions

What is event_loop_policy and why is it needed in python asyncio?
1d CNN audio in keras
Keras MSE definition
How do I obtain the second highest value in a row?
AttributeError: 'str' object has no attribute 'ndim' [closed]
Is there a copy constructor for Map Fields in Python Protocol Buffers?
How to convert NumPy array image to TensorFlow image?
How to prevent float imprecision from affecting numpy.arange?
Using attrs to turn JSONs into Python classes
Why does pandas Series.str convert numbers to NaN?
Can mypy handle list comprehensions?
How to do a simple Gaussian mixture sampling and PDF plotting with NumPy/SciPy?
KFolds Cross Validation vs train_test_split
How to read a large JSON file using Python ijson?
'Series' object has no attribute 'applymap'
Getting screenshot via printwindow not redrawing if laptop screen off
Django Admin. Disable `list_editable` fields for editing after date?
python random.randint vs random.choice: different outcomes usingsame values
Running background process with kubectl exec
Replacing string with placeholder and replacing them back after a function.

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!