Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Certificate is expired. #917

Open
lucashimpens opened this issue Jan 3, 2025 · 18 comments
Open

Certificate is expired. #917

lucashimpens opened this issue Jan 3, 2025 · 18 comments

Comments

@lucashimpens
Copy link

Hello,

We are using the browsermob proxy and the certificate provided is expired since yesterday: https://github.com/lightbody/browsermob-proxy/blob/master/browsermob-core/src/main/resources/sslSupport/ca-certificate-rsa.cer

Can we have a new certificate?

Thank you!
@workcheng
Copy link

look this:
https://github.com/lightbody/browsermob-proxy/tree/master/mitm

@niha55
Copy link

niha55 commented Jan 4, 2025
edited
Loading

This maven dependency uses this certificate internally which has been causing failure in page loads due to expiry. How should that be handled?

@workcheng
Copy link

This maven dependency uses this certificate internally which has been causing failure in page loads due to expiry. How should that be handled?

look this:
#917

@niha55
Copy link

niha55 commented Jan 6, 2025

The certificate is embedded within the dependency, Is there a way to overwrite it because the outdated one in it is causing failure despite using a new certificate externally

@workcheng
Copy link

The certificate is embedded within the dependency, Is there a way to overwrite it because the outdated one in it is causing failure despite using a new certificate externally

look this:
https://github.com/lightbody/browsermob-proxy/tree/master/mitm
you can modify the code and generate a long term certificate

@niha55
Copy link

niha55 commented Jan 6, 2025

Yes this does generate the certificate but everytime i use proxy there seems to be an issue with launching the website. i get a “connection not private error” and under details its due to expired certificate in the BrowserMob

@praveenthumbur
Copy link

praveenthumbur commented Jan 6, 2025
edited
Loading

@jekh @xnx3 could you please help on this, generating new certificate and updated into the branch
https://github.com/lightbody/browsermob-proxy/blob/master/browsermob-core/src/main/resources/sslSupport/ca-certificate-ec.cer

@xnx3
Copy link

xnx3 commented Jan 7, 2025

@jekh @xnx3 could you please help on this, generating new certificate and updated into the branch https://github.com/lightbody/browsermob-proxy/blob/master/browsermob-core/src/main/resources/sslSupport/ca-certificate-ec.cer

How can I assist? I don't have the overall management authority over this warehouse

@niha55
Copy link

niha55 commented Jan 7, 2025

We would like help with creation of a new certificate and replacing it with the expired one in the repository under sslsupport folder

@workcheng
Copy link

We would like help with creation of a new certificate and replacing it with the expired one in the repository under sslsupport folder

The certificate has expired. You should generate paired certificates in this way, update the program, and then install the newly generated certificate.cer into the browser:
https://github.com/lightbody/browsermob-proxy/tree/master/mitm#generating-and-saving-root-certificates

@niha55
Copy link

niha55 commented Jan 9, 2025

That doesnt seem to work. @jekh could you please renew the certificate in this utility?

@niha55
Copy link

niha55 commented Jan 9, 2025

The expired certificate in the utility is cause a blocker in using the dependency as there is no way to overwrite it using a script

@niha55
Copy link

niha55 commented Jan 9, 2025

Has anybody found any workaround for this issue?

@artsab
Copy link

artsab commented Jan 11, 2025

browsermob-proxy-2.1.5-bin.zip
build with updated certs.

@praveenthumbur
Copy link

Hi,
Anyone generated certificate(ca-certificate-ec.cer) and it worked for them? Can you share it?

@edschindler
Copy link

Python user here.

  1. The certificate page assumes a java environment, and it's not clear that the things that it calls for doing have parallels in the python environment.

  2. Thanks to @artsab for upversioning with new certificates. I tried the one from the other Issue thread. However, there is an embedded certificate somewhere in the code. When run from the python adapter, the proxy continues to use the old certificate even though new ones are in the ssl-support directory. I've also tried putting new certificate sets into the 2.1.4 environment, but mitm stubbornly insists on ignoring them and using the old ones.

Puzzling and frustrating.

@workcheng
Copy link

ca-certificate-ec.cer

Generating only the ca-certificate-ec.cer is not sufficient. It needs to be compatible with the certificate of the proxy server side.

@edschindler
Copy link

Looking in more depth at the informal 2.1.5 version that @artsab so kindly provided, I see that the new certs are indeed embedded in the jar file.

However, when I try to use it in the python environment, attempts to access ssl sites hang. Here's what I'm doing:

  1. in a terminal, run a python script that activates browsermob-proxy, reports it's port, and waits to be told to quit.

  2. I activate Firefox and do two things: import the certificate(s) from 2.1.5's ssl-support directory, and configure manual proxy on localhost and port as reported by the proxy. (I import both of the .cer files since I'm not sure which one is needed by default.)

  3. Navigating to a non-ssl site works fine. Navigating to an ssl site times out. The log file shows " Unable to read PEM-encoded data from file: certificate.cer"

Not sure what I'm doing wrong, if anything. The exact same steps using 2.1.4 results in the expired certificate failure, as expected.

(As noted previously, the python interface does not provide the same control over certificate generation and use as the java system does, so we are stuck with the defaults and can't override them. All that detail on the mitm readme is not useful.)

This is my simple python that activates browsermob-proxy:

from browsermobproxy import Server
import time

server = Server(path="./browsermob-proxy-2.1.5/bin/browsermob-proxy")
server.start()
time.sleep(1)
proxy = server.create_proxy()
time.sleep(1)

cmd = input("Proxy runnng on port {}. "Enter" to close... ".format(proxy.port))

proxy.close()
server.stop()

This is the contents of bmp.log upon activation and navigation to an ssl site:

[INFO  2025-01-20T07:49:03,612 net.lightbody.bmp.proxy.Main] (main) Starting BrowserMob Proxy version 2.1.5 
[INFO  2025-01-20T07:49:03,646 org.eclipse.jetty.util.log] (main) jetty-7.x.y-SNAPSHOT 
[INFO  2025-01-20T07:49:03,689 org.eclipse.jetty.util.log] (main) started o.e.j.s.ServletContextHandler{/,null} 
[INFO  2025-01-20T07:49:03,865 org.eclipse.jetty.util.log] (main) Started [email protected]:8080 
[INFO  2025-01-20T07:49:05,760 net.lightbody.bmp.BrowserMobProxyServer] (qtp1251897263-21) mitmManager inititalization ... 
[INFO  2025-01-20T07:49:05,928 org.littleshoot.proxy.impl.DefaultHttpProxyServer] (qtp1251897263-21) Starting proxy at address: 0.0.0.0/0.0.0.0:8081 
[INFO  2025-01-20T07:49:05,956 org.littleshoot.proxy.impl.DefaultHttpProxyServer] (qtp1251897263-21) Proxy listening with TCP transport 
[INFO  2025-01-20T07:49:06,025 org.littleshoot.proxy.impl.DefaultHttpProxyServer] (qtp1251897263-21) Proxy started at address: /0:0:0:0:0:0:0:0:8081 
[WARN  2025-01-20T07:49:12,704 io.netty.util.concurrent.DefaultPromise] (LittleProxy-0-ClientToProxyWorker-0) An exception was thrown by org.littleshoot.proxy.impl.ConnectionFlow$2.operationComplete() net.lightbody.bmp.mitm.exception.MitmException: Error creating SSLEngine for connection to client to impersonate upstream host: www.google.com
	at net.lightbody.bmp.mitm.manager.ImpersonatingMitmManager.clientSslEngineFor(ImpersonatingMitmManager.java:227) ~[browsermob-dist-2.1.5.jar:?]
	at org.littleshoot.proxy.impl.ProxyToServerConnection$3.execute(ProxyToServerConnection.java:724) ~[browsermob-dist-2.1.5.jar:?]
	at org.littleshoot.proxy.impl.ConnectionFlow.doProcessCurrentStep(ConnectionFlow.java:140) ~[browsermob-dist-2.1.5.jar:?]
	at org.littleshoot.proxy.impl.ConnectionFlow.processCurrentStep(ConnectionFlow.java:128) ~[browsermob-dist-2.1.5.jar:?]
	at org.littleshoot.proxy.impl.ConnectionFlow.advance(ConnectionFlow.java:90) ~[browsermob-dist-2.1.5.jar:?]
	at org.littleshoot.proxy.impl.ConnectionFlowStep.onSuccess(ConnectionFlowStep.java:83) ~[browsermob-dist-2.1.5.jar:?]
	at org.littleshoot.proxy.impl.ConnectionFlow$2.operationComplete(ConnectionFlow.java:149) ~[browsermob-dist-2.1.5.jar:?]
	at io.netty.util.concurrent.DefaultPromise.notifyListener0(DefaultPromise.java:507) ~[browsermob-dist-2.1.5.jar:?]
	at io.netty.util.concurrent.DefaultPromise.notifyListenersNow(DefaultPromise.java:481) ~[browsermob-dist-2.1.5.jar:?]
	at io.netty.util.concurrent.DefaultPromise.notifyListeners(DefaultPromise.java:420) ~[browsermob-dist-2.1.5.jar:?]
	at io.netty.util.concurrent.DefaultPromise.addListener(DefaultPromise.java:163) ~[browsermob-dist-2.1.5.jar:?]
	at io.netty.channel.DefaultChannelPromise.addListener(DefaultChannelPromise.java:93) ~[browsermob-dist-2.1.5.jar:?]
	at io.netty.channel.DefaultChannelPromise.addListener(DefaultChannelPromise.java:28) ~[browsermob-dist-2.1.5.jar:?]
	at org.littleshoot.proxy.impl.ConnectionFlow.doProcessCurrentStep(ConnectionFlow.java:140) ~[browsermob-dist-2.1.5.jar:?]
	at org.littleshoot.proxy.impl.ConnectionFlow.access$000(ConnectionFlow.java:14) ~[browsermob-dist-2.1.5.jar:?]
	at org.littleshoot.proxy.impl.ConnectionFlow$1.run(ConnectionFlow.java:124) ~[browsermob-dist-2.1.5.jar:?]
	at io.netty.util.concurrent.PromiseTask$RunnableAdapter.call(PromiseTask.java:38) ~[browsermob-dist-2.1.5.jar:?]
	at io.netty.util.concurrent.PromiseTask.run(PromiseTask.java:73) ~[browsermob-dist-2.1.5.jar:?]
	at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:163) ~[browsermob-dist-2.1.5.jar:?]
	at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:403) ~[browsermob-dist-2.1.5.jar:?]
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:463) ~[browsermob-dist-2.1.5.jar:?]
	at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) ~[browsermob-dist-2.1.5.jar:?]
	at java.lang.Thread.run(Thread.java:829) ~[?:?]
Caused by: com.google.common.util.concurrent.UncheckedExecutionException: net.lightbody.bmp.mitm.exception.ImportException: Unable to read PEM-encoded data from file: certificate.cer
	at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2213) ~[browsermob-dist-2.1.5.jar:?]
	at com.google.common.cache.LocalCache.get(LocalCache.java:4053) ~[browsermob-dist-2.1.5.jar:?]
	at com.google.common.cache.LocalCache$LocalManualCache.get(LocalCache.java:4899) ~[browsermob-dist-2.1.5.jar:?]
	at net.lightbody.bmp.mitm.manager.ImpersonatingMitmManager.getHostnameImpersonatingSslContext(ImpersonatingMitmManager.java:242) ~[browsermob-dist-2.1.5.jar:?]
	at net.lightbody.bmp.mitm.manager.ImpersonatingMitmManager.clientSslEngineFor(ImpersonatingMitmManager.java:223) ~[browsermob-dist-2.1.5.jar:?]
	... 22 more
Caused by: net.lightbody.bmp.mitm.exception.ImportException: Unable to read PEM-encoded data from file: certificate.cer
	at net.lightbody.bmp.mitm.util.EncryptionUtil.readPemStringFromFile(EncryptionUtil.java:109) ~[browsermob-dist-2.1.5.jar:?]
	at net.lightbody.bmp.mitm.PemFileCertificateSource.loadCertificateAndKeyFiles(PemFileCertificateSource.java:75) ~[browsermob-dist-2.1.5.jar:?]
	at net.lightbody.bmp.mitm.PemFileCertificateSource.access$0(PemFileCertificateSource.java:62) ~[browsermob-dist-2.1.5.jar:?]
	at net.lightbody.bmp.mitm.PemFileCertificateSource$1.get(PemFileCertificateSource.java:32) ~[browsermob-dist-2.1.5.jar:?]
	at net.lightbody.bmp.mitm.PemFileCertificateSource$1.get(PemFileCertificateSource.java:1) ~[browsermob-dist-2.1.5.jar:?]
	at com.google.common.base.Suppliers$NonSerializableMemoizingSupplier.get(Suppliers.java:160) ~[browsermob-dist-2.1.5.jar:?]
	at net.lightbody.bmp.mitm.PemFileCertificateSource.load(PemFileCertificateSource.java:59) ~[browsermob-dist-2.1.5.jar:?]
	at net.lightbody.bmp.mitm.manager.ImpersonatingMitmManager$2.get(ImpersonatingMitmManager.java:124) ~[browsermob-dist-2.1.5.jar:?]
	at net.lightbody.bmp.mitm.manager.ImpersonatingMitmManager$2.get(ImpersonatingMitmManager.java:1) ~[browsermob-dist-2.1.5.jar:?]
	at com.google.common.base.Suppliers$NonSerializableMemoizingSupplier.get(Suppliers.java:160) ~[browsermob-dist-2.1.5.jar:?]
	at net.lightbody.bmp.mitm.manager.ImpersonatingMitmManager.createImpersonatingSslContext(ImpersonatingMitmManager.java:291) ~[browsermob-dist-2.1.5.jar:?]
	at net.lightbody.bmp.mitm.manager.ImpersonatingMitmManager.createImpersonatingSslContext(ImpersonatingMitmManager.java:271) ~[browsermob-dist-2.1.5.jar:?]
	at net.lightbody.bmp.mitm.manager.ImpersonatingMitmManager.access$3(ImpersonatingMitmManager.java:264) ~[browsermob-dist-2.1.5.jar:?]
	at net.lightbody.bmp.mitm.manager.ImpersonatingMitmManager$3.call(ImpersonatingMitmManager.java:245) ~[browsermob-dist-2.1.5.jar:?]
	at net.lightbody.bmp.mitm.manager.ImpersonatingMitmManager$3.call(ImpersonatingMitmManager.java:1) ~[browsermob-dist-2.1.5.jar:?]
	at com.google.common.cache.LocalCache$LocalManualCache$1.load(LocalCache.java:4904) ~[browsermob-dist-2.1.5.jar:?]
	at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3627) ~[browsermob-dist-2.1.5.jar:?]
	at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2335) ~[browsermob-dist-2.1.5.jar:?]
	at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2294) ~[browsermob-dist-2.1.5.jar:?]
	at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2207) ~[browsermob-dist-2.1.5.jar:?]
	at com.google.common.cache.LocalCache.get(LocalCache.java:4053) ~[browsermob-dist-2.1.5.jar:?]
	at com.google.common.cache.LocalCache$LocalManualCache.get(LocalCache.java:4899) ~[browsermob-dist-2.1.5.jar:?]
	at net.lightbody.bmp.mitm.manager.ImpersonatingMitmManager.getHostnameImpersonatingSslContext(ImpersonatingMitmManager.java:242) ~[browsermob-dist-2.1.5.jar:?]
	at net.lightbody.bmp.mitm.manager.ImpersonatingMitmManager.clientSslEngineFor(ImpersonatingMitmManager.java:223) ~[browsermob-dist-2.1.5.jar:?]
	... 22 more

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@xnx3 @workcheng @edschindler @lucashimpens @artsab @niha55 @praveenthumbur