mitmproxy and ec2-api-tools

Question

I'm having trouble getting mitmproxy to work with the ec2-api-tools.

In one terminal, I did this:

$ mitmproxy -p 8080

And in another, I did:

$ export EC2_JVM_ARGS="-DproxySet=true -DproxyHost=127.0.0.1 -DproxyPort=8080 -Dhttps.proxySet=true -Dhttps.proxyHost=127.0.0.1 -Dhttps.proxyPort=8080"
$ ec2-describe-instances

I get the following error:

Unexpected error:
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
    at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(SSLSessionImpl.java:401)
    at org.apache.commons.httpclient.contrib.amazon.ssl.StrictSSLProtocolSocketFactory.verifyHostname(StrictSSLProtocolSocketFactory.java:369)
    at org.apache.commons.httpclient.contrib.amazon.ssl.StrictSSLProtocolSocketFactory.createSocket(StrictSSLProtocolSocketFactory.java:241)
    at org.apache.commons.httpclient.HttpConnection.tunnelCreated(HttpConnection.java:786)
    at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.tunnelCreated(MultiThreadedHttpConnectionManager.java:1521)
    at org.apache.commons.httpclient.HttpMethodDirector.executeConnect(HttpMethodDirector.java:514)
    at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:391)
    at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
    at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
    at org.codehaus.xfire.transport.http.CommonsHttpMessageSender.send(CommonsHttpMessageSender.java:369)
    at org.codehaus.xfire.transport.http.HttpChannel.sendViaClient(HttpChannel.java:123)
    at org.codehaus.xfire.transport.http.HttpChannel.send(HttpChannel.java:48)
    at org.codehaus.xfire.handler.OutMessageSender.invoke(OutMessageSender.java:26)
    at org.codehaus.xfire.handler.HandlerPipeline.invoke(HandlerPipeline.java:131)
    at org.codehaus.xfire.client.Invocation.invoke(Invocation.java:79)
    at org.codehaus.xfire.client.Invocation.invoke(Invocation.java:114)
    at org.codehaus.xfire.client.Client.invoke(Client.java:336)
    at org.codehaus.xfire.client.XFireProxy.handleRequest(XFireProxy.java:77)
    at org.codehaus.xfire.client.XFireProxy.invoke(XFireProxy.java:57)
    at com.sun.proxy.$Proxy12.describeInstances(Unknown Source)
    at com.amazon.aes.webservices.client.Jec2Impl.describeInstances(Jec2Impl.java:1517)
    at com.amazon.aes.webservices.client.Jec2Impl.describeInstances(Jec2Impl.java:1492)
    at com.amazon.aes.webservices.client.cmd.DescribeInstances.invokeOnline(DescribeInstances.java:58)
    at com.amazon.aes.webservices.client.cmd.BaseCmd.invoke(BaseCmd.java:1040)
    at com.amazon.aes.webservices.client.cmd.DescribeInstances.main(DescribeInstances.java:67)

I'm running on OS X, and I've configured keychain to trust the mitmproxy-ca-cert.pem certificate.

Answer 1

Thanks to Thomas Orozco's answer and this mitmproxy issue:

sudo keytool -importcert -alias mitmproxy -storepass "changeit" \
  -keystore /System/Library/Java/Support/CoreDeploy.bundle/Contents/Home/lib/security/cacerts \
  -trustcacerts -file ~/.mitmproxy/mitmproxy-ca-cert.pem

Answer 2

You have to add the MITM proxy certificate to the certificate store that Java is using, which might not be OS X's keychain.

You should be able to use keytool for this: http://docs.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html