3

I am trying to get my Ubuntu machine to properly recognize and use the certificate from Fiddler as a trusted source so I can decryt HTTPS traffic (specifically to google-analytics). I had this working once before, but had to since reinstall Ubuntu and now have to re-setup Fiddler. I can't remember what I did in the first place and I've spent the better part of today trying to figure it out.

I think I am inching closer to getting this certificate to recognize. By that I mean that when I went to Google a few hours ago, while using Fiddler, I would see the 'Connection Not Secure message' - which I think means Google is just actively refusing to recognize Fiddler's certificate. Now, I am getting a This Site Can't Be Reached page (ERR_SOCKET_NOT_CONNECTED) page.

I have tried a number of different things today to try to get this to work, but this is what I did with my last attempt:

Used THIS SITE as a jumping off point to get Fiddler installed.

  • Installed mono 4.8.0

  • Did not run the '/usr/lib/mono//mozroots --import --sync' command from the Linux setup page since when I tried I got a message in Terminal saying that mozroots is depreciated and to use client_sync instead. (client_sync seems to just update the mono cert store with whatever CRT file you pass to it.

  • Installed Fiddler (Left it as default as I could - using 8888 as listing port)

  • Ticked the 'Decrpyt HTTPS' box in Fiddler

  • Exported the Fiddler certificate to the desktop

  • Converted the CER cert file to PEM format (CRT specifically) with openssl (update-ca-certificates on ubuntu needs a PEM formatted cert file and the CER file Fiddler exports is in a binary format.)

  • Copied the CRT file to /usr/share/ca-certificates/

  • From terminal ran 'sudo dpkg-reconfigure ca-certificates' (Clicked 'Ask' then 'OK') (this re configures ca-certificates, runs update-ca-certificate, and updates mono cert store (by running client_sync from mono and passes it the updated ca-certificates.crt file that this process creates). This places a PEM version of the Fiddler CRT file into /etc/ssl/ca-certificates/ and packages it into the bigger ca-certificates.conf file.

This is pretty much where I am at right now. Turning Fiddler off - I can get to Google just fine, turning it on gives me the page I mentioned at the top of this post. I can see all other HTTP requests as expected.

When I got this to work last time, I was reading a lot of suggestions of the web for how to get a CA certificate installed on Ubuntu and tried to pick that trail up again, but everything I read has since blended together. I do vaguely remember importing the Fiddler cert file into Firefox as a Person, exporting that cert, then importing the file I just exported back into FF as a CA trusted root, then deleted the person cert that I installed in the first place. I think I them used the cert exported from FF to import to the system with 'update-ca-certificates'. I have no idea if this was a critical step or not.

I was also playing around with mitmproxy at the same time which also needed a proxy - again, no idea if that helped the process at all.

I am basically throwing things at a wall right now and seeing what sticks.

Ryan
  • 31

1 Answers1

0

Ryan, Have a look at this procedure; you have done most of the work, the relevant portion should be towards the end. I fixed this issue about a month ago, and it basically comes down to selecting the right option while you are importing the certificate. I don't totally recall what the fix was, but I would say try to import again and follow closely the file type this procedure says. I really hope I found the right site, and this does not end up wasting your time. Please reply and let me know if it fixes your issue. Oh; also i did not have to convert certificate types. I know what you are talking about, and have had to do it for some other task. Just follow the procedures in the link above, and see if it works for you.

maverick
  • 43
  • Thanks for the reply, I gave this another shot today, but I reinstalled ubuntu to start from scratch since I have no idea how badly i screwed up the system with my last attempt...

    I did notice that the version of Fiddler the link says to DL is Fiddler 4 and the Fiddler I had working before was the beta that is from the Fiddler site (the export cert buttons are in different spots between the 2 versions)

    So, from a fresh install of 16.04 I followed the instructions in your link. Everything went smoothly except for a few things:

     – Ryan Mar 29 '17 at 01:35
  • When setting up the location to DL Fiddler via terminal the instructions say to type this in Terminal: echo “deb http://download.mono-project.com/repo/debian wheezy main” I had to omit the " marks and also had to add a '/' to the end of 'debian', then it worked.

    • When I got through everything, I could connect to Google with FF with Fiddler running and FF using 127.0.0.1 as a proxy. However, I couldn't see HTTPS traffic in Fiddler -- just all the HTTP calls!

    I went back to make sure the 'Capture HTTPS' was checked - it was.

    This is were I am at right now.

    – Ryan Mar 29 '17 at 01:36
  • Since my goal is to view HTTPS google-analytic traffic that is sent not by FF I went ahead to see if I could update the system certificates.

    I have since undone all of this since it ended up not working at all (kept getting 'connection not secure' messages when I went to Google), but here are some things I did/tried:

    • I couldn't import the CER file Fiddler exported to the desktop with update-ca-certificates - it said the PEM does not contain the KEY info even though I could see mono accept the file and install it.
     – Ryan Mar 29 '17 at 01:36

  • I used FF (which installed the CER file) I exported that cert to the desktop. Undid the import to ca-certs from the point above to get back to square 1. Imported the cert I exported from FF - no PEM warning - looks like system accepted it and also mono accepted it. Restarted. Still saw the not secure message.

  • I converted the binary CER file to a CRT file via openssl and tried to import that to the system - it took and rebuilt ca-certificate. Still saw 'Connection not secure' message.

    • – Ryan Mar 29 '17 at 01:36
  • Another try today - no real progress. When I go to Google I can see the green lock in the URL bar. If I hover over it, it says it is a secure connection and has been verified by the Fiddler certificate. So the certificate it being used, but not fully trusted???? – Ryan Mar 30 '17 at 00:51
  • I remembered a bit more about what I did; the window which opens up for you to select the certificate does not recognize the file type of what is created, and that is why you have use a different option and load the file as that ( I really wish I remembered more ) I think you are getting stuck because you think you have import it as a certificate and that is right, but that is not how the fiddler software window is named and organized. Nothing against the software, I love it and love it even more on Ubuntu; just saying it how it is. I wish I could be of more help. – maverick Mar 31 '17 at 12:38
  • Ryan- Using the cert in its original format is the solution, since it forces you to use the right option when you are trying to add it to the browser. I don't seem to find the link which stated exactly how to populate the Cert, but what I do recall is that I did not populate it as a normal server certificate, rather I used one of the other tabs. Once you select the right tab, you can see the cert file on your desktop. I am telling you changing it to the Linux acceptable format with Openssl is the wrong thing to do while it makes perfect sense to do it. – maverick Apr 03 '17 at 14:40