browsermob-proxy icon indicating copy to clipboard operation
browsermob-proxy copied to clipboard

Published 20 hours ago verified publisher icon lightbody

Getting `CERT_TRUST_REVOCATION_STATUS_UNKNOWN` with `BrowserMobProxyServer` defaults or dynamically generated certificate

Open joffrey-bion opened this issue 1 year ago • 0 comments

I'm using the default proxy config:

BrowserMobProxyServer().start(53021)

And I extracted ca-certificate-rsa.cer from the BrowserMob resources.

Running the following curl command, I'm getting CERT_TRUST_REVOCATION_STATUS_UNKNOWN:

$ curl -v --cacert "ca-certificate-rsa.cer" -x "http://localhost:53021" "https://ip.oxylabs.io"
* Host localhost:53021 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:53021...
* CONNECT tunnel: HTTP/1.1 negotiated
* allocate connect buffer
* Establish HTTP proxy tunnel to ip.oxylabs.io:443
> CONNECT ip.oxylabs.io:443 HTTP/1.1
> Host: ip.oxylabs.io:443
> User-Agent: curl/8.10.1
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
< Connection: keep-alive
< Via: 1.1 browsermobproxy
<
* CONNECT phase completed
* CONNECT tunnel established, response 200
* schannel: disabled automatic use of client certificate
* schannel: added 1 certificate(s) from CA file 'ca-certificate-rsa.cer'
* schannel: CertGetCertificateChain trust error CERT_TRUST_REVOCATION_STATUS_UNKNOWN
* closing connection #0
curl: (60) schannel: CertGetCertificateChain trust error CERT_TRUST_REVOCATION_STATUS_UNKNOWN
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.

I looked into the certificate itself using openssl x509 -in ca-certificate-rsa.cer -text -noout, and I can indeed find no revocation information (neither OCSP nor CRL Distribution Points info).

I tried to instead generate the CA certificate on the fly by following the MITM README:

fun main() {
    val rootCertificateGenerator = RootCertificateGenerator.builder().build()
    rootCertificateGenerator.saveRootCertificateAsPemFile(File("./temp-proxy-cert.pem"))

    val mitmManager = ImpersonatingMitmManager.builder()
        .rootCertificateSource(rootCertificateGenerator)
        .build()

    val server: BrowserMobProxy = BrowserMobProxyServer()
    server.setMitmManager(mitmManager)
    server.start(53021)
}

But I still get the same CERT_TRUST_REVOCATION_STATUS_UNKNOWN error with curl -v --cacert temp-proxy-cert.pem -x "http://localhost:53021" "https://ip.oxylabs.io".

I'm quite a beginner with proxies. Is there something obvious that I'm doing wrong?

joffrey-bion avatar Nov 03 '24 19:11 joffrey-bion