The certificate has expired. How can I obtain a new one?

[workcheng]

[aaggarwal-sumo]

Same query I also had.

[lucashimpens]

Also have the same problem.

[msd955]

I have the same problem.
I am using the python version of browsermob proxy. Apparently in the python version there is no way to set up new ssl certificates.

[workcheng]

I've found out how to generate certificates.
https://github.com/lightbody/browsermob-proxy/tree/master/mitm

[aaggarwal-sumo]

I've found out how to generate certificates. https://github.com/lightbody/browsermob-proxy/tree/master/mitm

Is it possible to share exact steps not sure if I am doing correct when I followed above link.

[praveenthumbur]

Can you share the steps, how to generate new certificate (ca-certificate-ec.cer) or anyone generated new certificate. Can you share to me?

[workcheng]

try this:
ca-certificate-ec.zip
@praveenthumbur @aaggarwal-sumo

[praveenthumbur]

Hi @workcheng ,
Shared Certificate is not working. When i set the proxy. Getting Server Error.
This certificate worked fine for last 3 years without any issues. Suddenly its not working. getting expired issue.
https://github.com/lightbody/browsermob-proxy/blob/master/browsermob-core/src/main/resources/sslSupport/ca-certificate-ec.cer

[aaggarwal-sumo]

Yes shared certificate not working:

`curl --cacert ca-certificate-ec.cer --verbose --proxy localhost:8081 https://www.google.com/ 
* Host localhost:8081 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:8081...
* Connected to localhost (::1) port 8081
* CONNECT tunnel: HTTP/1.1 negotiated
* allocate connect buffer
* Establish HTTP proxy tunnel to www.google.com:443
> CONNECT www.google.com:443 HTTP/1.1
> Host: www.google.com:443
> User-Agent: curl/8.7.1
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 Connection established
< Connection: keep-alive
< Via: 1.1 browsermobproxy
< 
* CONNECT phase completed
* CONNECT tunnel established, response 200
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: ca-certificate-ec.cer
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.`

[workcheng]

Hi @workcheng , Shared Certificate is not working. When i set the proxy. Getting Server Error. This certificate worked fine for last 3 years without any issues. Suddenly its not working. getting expired issue. https://github.com/lightbody/browsermob-proxy/blob/master/browsermob-core/src/main/resources/sslSupport/ca-certificate-ec.cer

The certificate has expired. You should generate paired certificates in this way, update the program, and then install the newly generated certificate.cer into the browser：
https://github.com/lightbody/browsermob-proxy/tree/master/mitm#generating-and-saving-root-certificates

[workcheng]

Yes shared certificate not working:

`curl --cacert ca-certificate-ec.cer --verbose --proxy localhost:8081 https://www.google.com/ 
* Host localhost:8081 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:8081...
* Connected to localhost (::1) port 8081
* CONNECT tunnel: HTTP/1.1 negotiated
* allocate connect buffer
* Establish HTTP proxy tunnel to www.google.com:443
> CONNECT www.google.com:443 HTTP/1.1
> Host: www.google.com:443
> User-Agent: curl/8.7.1
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 Connection established
< Connection: keep-alive
< Via: 1.1 browsermobproxy
< 
* CONNECT phase completed
* CONNECT tunnel established, response 200
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: ca-certificate-ec.cer
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.`

The certificate has expired. You should generate paired certificates in this way, update the program, and then install the newly generated certificate.cer into the browser：
https://github.com/lightbody/browsermob-proxy/tree/master/mitm#generating-and-saving-root-certificates

[praveenthumbur]

Hi @workcheng ,
I'm not using this code in my project. I'm using only this certificate in my project using below steps.

1. Download ca-certificate-ec.cer in my iOS mobile.
2. Install certificate in General -> VPN Device management -> Install it
3. Trust certificate
4. Start Browsermob proxy in my code and test my app.
5. All events are captured and saved in har file.

I need this certificate only. Could you please help on the steps how to generate this certificate.
what command is used for generating the this certificate.
Do we need to download this code.
@workcheng Do you have code with you for generating new certificate. Can you share with me.

[workcheng]

Hi @workcheng , I'm not using this code in my project. I'm using only this certificate in my project using below steps.

1. Download ca-certificate-ec.cer in my iOS mobile.
2. Install certificate in General -> VPN Device management -> Install it
3. Trust certificate
4. Start Browsermob proxy in my code and test my app.
5. All events are captured and saved in har file.

I need this certificate only. Could you please help on the steps how to generate this certificate. what command is used for generating the this certificate. Do we need to download this code. @workcheng Do you have code with you for generating new certificate. Can you share with me.

try this:
tmp.zip
Replace the files with the same names under the ssl-support file.

[niha55]

Has anybody found a workaround for this issue?

[workcheng]

Hi @workcheng , I'm not using this code in my project. I'm using only this certificate in my project using below steps.

1. Download ca-certificate-ec.cer in my iOS mobile.
2. Install certificate in General -> VPN Device management -> Install it
3. Trust certificate
4. Start Browsermob proxy in my code and test my app.
5. All events are captured and saved in har file.

I need this certificate only. Could you please help on the steps how to generate this certificate. what command is used for generating the this certificate. Do we need to download this code. @workcheng Do you have code with you for generating new certificate. Can you share with me.

try this: tmp.zip Replace the files with the same names under the ssl-support file.

try this:
ssl-support.zip

[workcheng]

Hi @workcheng , I'm not using this code in my project. I'm using only this certificate in my project using below steps.

1. Download ca-certificate-ec.cer in my iOS mobile.
2. Install certificate in General -> VPN Device management -> Install it
3. Trust certificate
4. Start Browsermob proxy in my code and test my app.
5. All events are captured and saved in har file.

I need this certificate only. Could you please help on the steps how to generate this certificate. what command is used for generating the this certificate. Do we need to download this code. @workcheng Do you have code with you for generating new certificate. Can you share with me.

try this: tmp.zip Replace the files with the same names under the ssl-support file.

try this: ssl-support.zip

$ curl --cacert ./ca-certificate-rsa.cer --verbose --proxy 127.0.0.1:8080 https://cn.bing.com
*   Trying 127.0.0.1:8080...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to cn.bing.com:443
> CONNECT cn.bing.com:443 HTTP/1.1
> Host: cn.bing.com:443
> User-Agent: curl/7.78.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 404 Not Found
< Cache-Control: must-revalidate,no-cache,no-store
< Content-Type: text/html;charset=ISO-8859-1
< Content-Length: 1281
< Server: Jetty(7.x.y-SNAPSHOT)
<
* Received HTTP code 404 from proxy after CONNECT
* CONNECT phase completed!
* Closing connection 0
curl: (56) Received HTTP code 404 from proxy after CONNECT

[praveenthumbur]

Hi @workcheng , I'm not using this code in my project. I'm using only this certificate in my project using below steps.

1. Download ca-certificate-ec.cer in my iOS mobile.
2. Install certificate in General -> VPN Device management -> Install it
3. Trust certificate
4. Start Browsermob proxy in my code and test my app.
5. All events are captured and saved in har file.

I need this certificate only. Could you please help on the steps how to generate this certificate. what command is used for generating the this certificate. Do we need to download this code. @workcheng Do you have code with you for generating new certificate. Can you share with me.

try this: tmp.zip Replace the files with the same names under the ssl-support file.

try this: ssl-support.zip

$ curl --cacert ./ca-certificate-rsa.cer --verbose --proxy 127.0.0.1:8080 https://cn.bing.com
*   Trying 127.0.0.1:8080...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to cn.bing.com:443
> CONNECT cn.bing.com:443 HTTP/1.1
> Host: cn.bing.com:443
> User-Agent: curl/7.78.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 404 Not Found
< Cache-Control: must-revalidate,no-cache,no-store
< Content-Type: text/html;charset=ISO-8859-1
< Content-Length: 1281
< Server: Jetty(7.x.y-SNAPSHOT)
<
* Received HTTP code 404 from proxy after CONNECT
* CONNECT phase completed!
* Closing connection 0
curl: (56) Received HTTP code 404 from proxy after CONNECT

Hi @workcheng , I'm not using this code in my project. I'm using only this certificate in my project using below steps.

1. Download ca-certificate-ec.cer in my iOS mobile.
2. Install certificate in General -> VPN Device management -> Install it
3. Trust certificate
4. Start Browsermob proxy in my code and test my app.
5. All events are captured and saved in har file.

I need this certificate only. Could you please help on the steps how to generate this certificate. what command is used for generating the this certificate. Do we need to download this code. @workcheng Do you have code with you for generating new certificate. Can you share with me.

try this: tmp.zip Replace the files with the same names under the ssl-support file.

try this: ssl-support.zip

Hi @workcheng
Can you give ca-certificate-ec.cer, ca-keystore-ec.p12 this file too?

[workcheng]

Hi @workcheng , I'm not using this code in my project. I'm using only this certificate in my project using below steps.

1. Download ca-certificate-ec.cer in my iOS mobile.
2. Install certificate in General -> VPN Device management -> Install it
3. Trust certificate
4. Start Browsermob proxy in my code and test my app.
5. All events are captured and saved in har file.

I need this certificate only. Could you please help on the steps how to generate this certificate. what command is used for generating the this certificate. Do we need to download this code. @workcheng Do you have code with you for generating new certificate. Can you share with me.

try this: tmp.zip Replace the files with the same names under the ssl-support file.

try this: ssl-support.zip

$ curl --cacert ./ca-certificate-rsa.cer --verbose --proxy 127.0.0.1:8080 https://cn.bing.com
*   Trying 127.0.0.1:8080...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to cn.bing.com:443
> CONNECT cn.bing.com:443 HTTP/1.1
> Host: cn.bing.com:443
> User-Agent: curl/7.78.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 404 Not Found
< Cache-Control: must-revalidate,no-cache,no-store
< Content-Type: text/html;charset=ISO-8859-1
< Content-Length: 1281
< Server: Jetty(7.x.y-SNAPSHOT)
<
* Received HTTP code 404 from proxy after CONNECT
* CONNECT phase completed!
* Closing connection 0
curl: (56) Received HTTP code 404 from proxy after CONNECT

Hi @workcheng , I'm not using this code in my project. I'm using only this certificate in my project using below steps.

1. Download ca-certificate-ec.cer in my iOS mobile.
2. Install certificate in General -> VPN Device management -> Install it
3. Trust certificate
4. Start Browsermob proxy in my code and test my app.
5. All events are captured and saved in har file.

I need this certificate only. Could you please help on the steps how to generate this certificate. what command is used for generating the this certificate. Do we need to download this code. @workcheng Do you have code with you for generating new certificate. Can you share with me.

try this: tmp.zip Replace the files with the same names under the ssl-support file.

try this: ssl-support.zip

Hi @workcheng Can you give ca-certificate-ec.cer, ca-keystore-ec.p12 this file too?

ok:
ssl-support.zip

[praveenthumbur]

Its not working @workcheng. Getting not verified error

[workcheng]

Its not working @workcheng. Getting not verified error

What was the prompt when the original certificate was installed? This is a self-signed certificate. Isn't it normal that it didn't pass the verification?

[praveenthumbur]

Old original certificate

[praveenthumbur]

@workcheng Shared ca-certificate-ec.cer has RSA encryption instead of Elliptic Curve Public Key.
Original

Shared one

[workcheng]

@workcheng Shared ca-certificate-ec.cer has RSA encryption instead of Elliptic Curve Public Key. Original Shared one

I use this for my own project on the PC side. As long as I load the new .p12 certificate when starting and the browser trusts the cer certificate, I can pass the proxy. My current program is running normally. But I don't know how to solve your problem.

[workcheng]

@workcheng Shared ca-certificate-ec.cer has RSA encryption instead of Elliptic Curve Public Key. Original Shared one

I use this for my own project on the PC side. As long as I load the new .p12 certificate when starting and the browser trusts the cer certificate, I can pass the proxy. My current program is running normally. But I don't know how to solve your problem.

I generated this certificate using the certificate generated by my tool. I guess that if I want this to pass the verification, I need to generate this certificate using a certificate that is trusted by the root certificate.

[praveenthumbur]

@workcheng Is it possible to generate the certificate with root certificate?

[artsab]

browsermob-proxy-2.1.5-bin.zip
build with updated certs

[praveenthumbur]

browsermob-proxy-2.1.5-bin.zip build with updated certs

@artsab This file is not there ca-certificate-ec.cer. Could you please generate this certificate and share here.
I tried other certificated, its not working.

[artsab]

Yes, sorry.
certs.zip
sudo mkdir /sslSupport
unzip certs.zip
sudo mv certificate.cer /sslSupport
sudo mv private-key.pem /sslSupport

Cert and key path hardcoded

[praveenthumbur]

@artsab Not working. Could you please generate this file and share it to me ca-certificate-ec.cer. You have shared RSA encryption, I required ECC. If possible generate and share this certificate ca-certificate-ec.cer

[artsab]

ecc.zip

[praveenthumbur]

@artsab Tried this. Still not working. Not getting the internet while connecting the proxy. Not sure. Why its not working.

[jekson0702]

@praveenthumbur the same problem. Added these certificates and still have no connection

[praveenthumbur]

Hi,
Anyone generated certificate(ca-certificate-ec.cer) and it worked for them? Can you share it?

[workcheng]

Hi, Anyone generated certificate(ca-certificate-ec.cer) and it worked for them? Can you share it?

Can you provide a small demo to reproduce the problem that occurs in the usage scenario of your project? The ones I generated on my end work fine in my project.

[sankarnadendla]

I've found out how to generate certificates. https://github.com/lightbody/browsermob-proxy/tree/master/mitm

Hi @workcheng I am facing the same issue and will try to complete doc you have shared. I have one question, Does it generates a new cert every time we generate the proxy and do we have same to import it in the browser?

[workcheng]

I've found out how to generate certificates. https://github.com/lightbody/browsermob-proxy/tree/master/mitm

Hi @workcheng I am facing the same issue and will try to complete doc you have shared. I have one question, Does it generates a new cert every time we generate the proxy and do we have same to import it in the browser?

You can generate a long - term certificate, replace the original configuration, and then import the new certificate into the browser. This only needs to be done once per computer.

[niha55]

One solution for this is to migrate to BrowserUp proxy. It is continuation of the same utility with updated changes. They have updated the expired certification as well.

[jekson0702]

BrowserUp use the same certificate and it is expired

[niha55]

Nope. There is one more BrowerUp utiility. The one you are referring to has been discontinued

[praveenthumbur]

@niha55 BrowserUp Certificate worked for you? Can you share the link for certificate?

[praveenthumbur]

Hi, Anyone generated certificate(ca-certificate-ec.cer) and it worked for them? Can you share it?

Can you provide a small demo to reproduce the problem that occurs in the usage scenario of your project? The ones I generated on my end work fine in my project.

Sure. I will send the steps here.

[niha55]

https://github.com/valfirst/browserup-proxy/

[praveenthumbur]

Hi @niha55 ,

Browserup-proxy is not similar. Har file generation logic is different from BrowserMob Proxy.

[praveenthumbur]

Hi, Anyone generated certificate(ca-certificate-ec.cer) and it worked for them? Can you share it?

Can you provide a small demo to reproduce the problem that occurs in the usage scenario of your project? The ones I generated on my end work fine in my project.

Sure. I will send the steps here.

Step 1: Start the BrowserMob Proxy in the server with specific Port
Step 2: Install ca-certificate-ec.cer in iOS Mobile
Step 3: Install the app and test it
Step 4: Collect har file
Step 5: Stop the BrowserMob Proxy

[sankarnadendla]

I've found out how to generate certificates. https://github.com/lightbody/browsermob-proxy/tree/master/mitm

Hi @workcheng I am facing the same issue and will try to complete doc you have shared. I have one question, Does it generates a new cert every time we generate the proxy and do we have same to import it in the browser?

You can generate a long - term certificate, replace the original configuration, and then import the new certificate into the browser. This only needs to be done once per computer.

@workcheng I have generated a new long-term certificate and I have restored the original configuration and have imported the new certificate into firefox browser but getting the below error in the server logs. Can you please advise me if you happen to know to resolve this issue

SEVERE [LittleProxy-0-ClientToProxyWorker-3] org.littleshoot.proxy.impl.ProxyConnectionLogger$LocationAwareLogggerDispatch.doLog (AWAITING_INITIAL) [id: 0x8ae405eb, L:0.0.0.0/0.0.0.0:52154 ! R:/10.228.0.221:64818]: Caught an exception on ClientToProxyConnection
	io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
		at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:500)
		at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290)
		at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
		at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
		at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
		at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1357)
		at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)
		at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
		at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:868)
		at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
		at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:796)
		at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:732)
		at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:658)
		at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562)
		at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:998)
		at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
		at java.lang.Thread.run(Thread.java:748)
	Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate

[praveenthumbur]

https://github.com/valfirst/browserup-proxy/

Thank you @niha55 for helping. This is working for us.