How to configure a TLS-in-TLS proxy#
If you need to set https_proxy
to a proxy that uses https://
(a
practice commonly referred to as “TLS-in-TLS”), you need to follow a few extra
steps to ensure all Ubuntu Pro actions work correctly.
Support for TLS-in-TLS proxying was added in version 28.1 of the Ubuntu Pro Client, and is supported by the Ubuntu Pro Client on Ubuntu 18.04 and later.
Install the pycurl dependency#
For TLS-in-TLS proxying, pro
switches to using pycurl
– but
pycurl
may not be installed by default on your machine. To install it, run:
sudo apt install python3-pycurl
If you don’t do this and try to set the TLS-in-TLS proxy anyway, you will get an error that looks like this:
To use an HTTPS proxy for HTTPS connections, please install pycurl with
``apt install python3-pycurl``
Ensure the proxy’s HTTPS certificate will be trusted by Livepatch#
Tip
You can skip this step if you don’t plan to use Livepatch.
Livepatch requires configuration separate from the rest of the Ubuntu system for trusting certificates. Even if your proxy’s certificate is signed by a well known certificate authority (CA), it may not be trusted by Livepatch by default.
To ensure Livepatch will trust your proxy’s certificate, first pre-install the
livepatch-client
:
sudo snap install canonical-livepatch
Then download the certificate of your proxy (or of the CA) in PEM format and
configure livepatch-client
to trust it:
sudo canonical-livepatch config ca-certs=@stdin < /path/to/certificate.pem
Verify the PEM contents are present and accurate under the ca-certs
field
by running:
sudo canonical-livepatch config
Set the HTTPS proxy via the pro config
command#
Now that everything else is set up, you can configure the Ubuntu Pro Client to use the TLS-in-TLS proxy:
sudo pro config https_proxy=https://your.proxy.here:1234
Success!#
Now with the TLS-in-TLS proxy configured, you can configure any other proxies you need and then use your Ubuntu Pro token to attach your machine.