How to configure a TLS-in-TLS proxy#
Support for TLS-in-TLS proxying was added in version 28.1 of the Ubuntu Pro Client.
TLS-in-TLS is only supported by the Ubuntu Pro Client on Ubuntu 18.04 and later.
If you need to set
https_proxy to a proxy that uses
https:// (a practice commonly referred to as “TLS-in-TLS”), you need to follow a few extra steps to ensure all Ubuntu Pro actions work correctly.
Install the pycurl dependency#
For TLS-in-TLS proxying,
pro switches to using
pycurl – but
pycurl may not be installed by default on your machine. To install it, run:
sudo apt install python3-pycurl
If you don’t do this and try to set the TLS-in-TLS proxy anyway, you will get an error that looks like this:
To use an HTTPS proxy for HTTPS connections, please install pycurl with `apt install python3-pycurl`
Ensure the proxy’s HTTPS certificate will be trusted by Livepatch#
You can skip this step if you don’t plan on using Livepatch.
Livepatch requires configuration separate from the rest of the Ubuntu system for trusting certificates. Even if your proxy’s certificate is signed by a well known certificate authority (CA), it may not be trusted by Livepatch by default.
To ensure Livepatch will trust your proxy’s certificate, first pre-install the livepatch-client:
sudo snap install canonical-livepatch
Then download the certificate of your proxy (or of the CA) in PEM format and configure livepatch-client to trust it:
sudo canonical-livepatch config ca-certs=@stdin < /path/to/certificate.pem
Verify the PEM contents are present and accurate under the
ca-certs field by running:
sudo canonical-livepatch config
Set the HTTPS proxy via the
pro config command#
Now that everything else is set up, you can configure the Ubuntu Pro Client to use the TLS-in-TLS proxy:
sudo pro config https_proxy=https://your.proxy.here:1234