Recommended to see this doc in wide preview.
Many enterprise IT provides a proxy server and a local Certificate Authority (CA) for security and inspection.
In that environment, usually tools (e.g. package manager and http library) couldn't pass proxy and fail to verify SSL certificate and raise errors like:
- Proxy Error
- W: Failed to fetch
- Proxy Authentication Required
- SSL Error
- Certificate verification failed
- [SSL: CERTIFICATE_VERIFY_FAILED]
- SSLError
- SSLCertVerificationError
- SSL certificate problem
- error self signed certificate in certificate chain
This memorandum is the proxy and CA setting list of some tools.
Some settings are redundant due to their dependency.
Give me PR if you know other settings.
Many tools refer to the following environment variables.
# Some tools may needs upper case variables.
$ export http_proxy=your_proxy_server
$ export https_proxy=your_proxy_server
$ export no_proxy=localhost,127.0.0.1,::1,*.local
tool | Setting | Reference |
---|---|---|
apt | $ sudo vi /etc/apt/apt.conf.d/80proxy Acquire::http::proxy your_proxy_server Acquire::https::proxy your_proxy_server |
ubuntu |
yum | $ sudo vi /etc/yum.conf proxy= your_proxy_server |
- |
docker | $ vi ~/.docker/config.json { "proxies": { "default": { "httpProxy": "your_proxy_server" ,"httpsProxy": "your_proxy_server" ,"noProxy": "localhost,127.0.0.1,::1,*.local" } } } $ sudo service docker restart |
docker |
git | $git config --global http.proxy your_proxy_server $git config --global https.proxy your_proxy_server |
git-scm |
gradle | $ vi ~/.gradle/gradle.properties systemProp.http.proxyHost= your_proxy_server systemProp.http.proxyPort= port systemProp.https.proxyHost= your_proxy_server systemProp.https.proxyPort= port |
gradle |
Many tools refer to the following environment variables.
$ export REQUESTS_CA_BUNDLE=/your/cafile.crt
$ export SSL_CERT_FILE=/your/cafile.crt
$ export NODE_EXTRA_CA_CERTS=/your/cafile.crt
tool | Set ca file (Recommended) | Ignore SSL (Depricated) | Reference |
---|---|---|---|
apt | $ sudo cp /your/cafile.crt /usr/local/share/ca-certificates/ $ sudo update-ca-certificates |
- | ubuntu |
curl | a) export CURL_CA_BUNDLE=/your/cafile.crt b) or use --cacert option |
use -k/--insecure option |
curl |
git | git config --global http.sslCAInfo /your/cafile.crt |
git config --global http.sslVerify false | git-scm |
Python | - | - | - |
pip | a) pip config set global.cert /your/cafile.crt b) or use --cert option c) or set env: PIP_CERT , REQUESTS_CA_BUNDLE , or CURL_CA_BUNDLE |
a) pip config set global.trusted-host pypi.org\ pypi.python.org\ files.pythonhosted.org b) or use --trusted-host option |
pypa |
urllib | ctx = ssl.SSLContext() ctx.load_verify_locations(' /your/cafile.crt ')u = urllib.request.urlopen('url', context=ctx) |
ctx = ssl.SSLContext() ctx.verify_mode = ssl.CERT_NONE u = urllib.request.urlopen('url', context=ctx) |
python |
conda | conda config --set ssl_verify /your/cafile.crt |
conda config --set ssl_verify False | conda |
- | - | - | - |
Ruby / gem | copy cafile.crt to /path/to/ruby{ver}/lib/ruby/{ver}/rubygems/ssl_certs |
$ gem sources --add http://rubygems.org $ gem sources --remove https://rubygems.org |
rubygems |
Node | - | - | - |
Node.js | export NODE_EXTRA_CA_CERTS=/your/cafile.crt |
export NODE_TLS_REJECT_UNAUTHORIZED=0 | nodejs |
npm | npm config set cafile /your/cafile.crt |
npm config set strict-ssl false | npmjs |
yarn | yarn config set cafile /your/cafile.crt |
yarn config set strict-ssl false | |
- | - | - | - |
AWS CLI | a) aws configure set ca_bundle b) or use --ca-bundle option c) or set env: AWS_CA_BUNDLE |
use --no-verify-ssl option |
amazon |